On Tue, Dec 22, 2020 at 12:07:04PM +0000, James Reynolds wrote:
> When processing a MCE_RSP_GETPORTSTATUS command, the bit index to set in
> ir->txports_cabled comes from response data, and isn't validated.
>
> As ir->txports_cabled is a u8, nothing should be done if the bit index
> is greater than 7.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: syzbot+ec3b3128c576e109171d@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: James Reynolds <jr@xxxxxxxxxx>
> ---
> drivers/media/rc/mceusb.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
> index f1dbd059ed08..c8d63673e131 100644
> --- a/drivers/media/rc/mceusb.c
> +++ b/drivers/media/rc/mceusb.c
> @@ -1169,7 +1169,7 @@ static void mceusb_handle_command(struct mceusb_dev *ir, u8 *buf_in)
> switch (subcmd) {
> /* the one and only 5-byte return value command */
> case MCE_RSP_GETPORTSTATUS:
> - if (buf_in[5] == 0)
> + if (buf_in[5] == 0 && *hi < 8)
> ir->txports_cabled |= 1 << *hi;
So *hi is a port number. I don't know of any devices that have more than
2 ports, so this is fine.
Reviewed-by: Sean Young <sean@xxxxxxxx>
Thanks
Sean
