Re: [PATCH v2] media: dvb_vb2: fix possible out of bound access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 27/09/2022 04:01, Hangyu Hua wrote:
> On 19/5/2022 10:17, Hangyu Hua wrote:
>> vb2_core_qbuf and vb2_core_querybuf don't check the range of b->index
>> controlled by the user.
>>
>> Fix this by adding range checking code before using them.
>>
>> Fixes: 57868acc369a ("media: videobuf2: Add new uAPI for DVB streaming I/O")
>> Signed-off-by: Hangyu Hua <hbh25y@xxxxxxxxx>
>> Reviewed-by: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx>
>> ---
>>
>> v2:
>> 1. fix inappropriate use of dprintk.
>> 2. add "fixes" tag
>>
>>   drivers/media/dvb-core/dvb_vb2.c | 11 +++++++++++
>>   1 file changed, 11 insertions(+)
>>
>> diff --git a/drivers/media/dvb-core/dvb_vb2.c b/drivers/media/dvb-core/dvb_vb2.c
>> index a1bd6d9c9223..909df82fed33 100644
>> --- a/drivers/media/dvb-core/dvb_vb2.c
>> +++ b/drivers/media/dvb-core/dvb_vb2.c
>> @@ -354,6 +354,12 @@ int dvb_vb2_reqbufs(struct dvb_vb2_ctx *ctx, struct dmx_requestbuffers *req)
>>     int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
>>   {
>> +    struct vb2_queue *q = &ctx->vb_q;
>> +
>> +    if (b->index >= q->num_buffers) {
>> +        dprintk(1, "[%s] buffer index out of range\n", ctx->name);
>> +        return -EINVAL;
>> +    }
>>       vb2_core_querybuf(&ctx->vb_q, b->index, b);
>>       dprintk(3, "[%s] index=%d\n", ctx->name, b->index);
>>       return 0;
>> @@ -378,8 +384,13 @@ int dvb_vb2_expbuf(struct dvb_vb2_ctx *ctx, struct dmx_exportbuffer *exp)
>>     int dvb_vb2_qbuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
>>   {
>> +    struct vb2_queue *q = &ctx->vb_q;
>>       int ret;
>>   +    if (b->index >= q->num_buffers) {
>> +        dprintk(1, "[%s] buffer index out of range\n", ctx->name);
>> +        return -EINVAL;
>> +    }
>>       ret = vb2_core_qbuf(&ctx->vb_q, b->index, b, NULL);
>>       if (ret) {
>>           dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,
> 
> Hi guys,
> 
> Looks like this patch was forgotten to to merge into master branch. This bug still in:
> https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n355
> and
> https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n379
> 
> Thanks,
> Hangyu

That's weird, it was part of this pull request:

https://patchwork.linuxtv.org/project/linux-media/patch/2eeaad13-091d-6547-cdeb-0a7a15dc5c3f@xxxxxxxxx/

But none of the patches in that PR ever made it to upstream. Something went very wrong
with that PR.

I'm preparing a new pull request.

Thank you very much for notifying me!

Regards,

	Hans
[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]

  Powered by Linux