Patch "media: m88rs6000t: avoid potential out-of-bounds reads on arrays" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 12 May 2021 08:28:21 -0400

This is a note to let you know that I've just added the patch titled

    media: m88rs6000t: avoid potential out-of-bounds reads on arrays

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     media-m88rs6000t-avoid-potential-out-of-bounds-reads.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit aac7c42ae6bad6c8ada83010e1575fee17867bc3
Author: Colin Ian King <colin.king@xxxxxxxxxxxxx>
Date:   Wed Oct 7 14:16:28 2020 +0200

    media: m88rs6000t: avoid potential out-of-bounds reads on arrays
    
    [ Upstream commit 9baa3d64e8e2373ddd11c346439e5dfccb2cbb0d ]
    
    There a 3 array for-loops that don't check the upper bounds of the
    index into arrays and this may lead to potential out-of-bounds
    reads.  Fix this by adding array size upper bounds checks to be
    full safe.
    
    Addresses-Coverity: ("Out-of-bounds read")
    
    Link: https://lore.kernel.org/linux-media/20201007121628.20676-1-colin.king@xxxxxxxxxxxxx
    Fixes: 333829110f1d ("[media] m88rs6000t: add new dvb-s/s2 tuner for integrated chip M88RS6000")
    Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/media/tuners/m88rs6000t.c b/drivers/media/tuners/m88rs6000t.c
index b3505f402476..8647c50b66e5 100644
--- a/drivers/media/tuners/m88rs6000t.c
+++ b/drivers/media/tuners/m88rs6000t.c
@@ -525,7 +525,7 @@ static int m88rs6000t_get_rf_strength(struct dvb_frontend *fe, u16 *strength)
 	PGA2_cri = PGA2_GC >> 2;
 	PGA2_crf = PGA2_GC & 0x03;
 
-	for (i = 0; i <= RF_GC; i++)
+	for (i = 0; i <= RF_GC && i < ARRAY_SIZE(RFGS); i++)
 		RFG += RFGS[i];
 
 	if (RF_GC == 0)
@@ -537,12 +537,12 @@ static int m88rs6000t_get_rf_strength(struct dvb_frontend *fe, u16 *strength)
 	if (RF_GC == 3)
 		RFG += 100;
 
-	for (i = 0; i <= IF_GC; i++)
+	for (i = 0; i <= IF_GC && i < ARRAY_SIZE(IFGS); i++)
 		IFG += IFGS[i];
 
 	TIAG = TIA_GC * TIA_GS;
 
-	for (i = 0; i <= BB_GC; i++)
+	for (i = 0; i <= BB_GC && i < ARRAY_SIZE(BBGS); i++)
 		BBG += BBGS[i];
 
 	PGA2G = PGA2_cri * PGA2_cri_GS + PGA2_crf * PGA2_crf_GS;






