From patchwork Wed May 9 20:08:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Scheller X-Patchwork-Id: 10390795 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 4FE5360318 for ; Wed, 9 May 2018 20:08:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3F3BD26CFF for ; Wed, 9 May 2018 20:08:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3406427CF3; Wed, 9 May 2018 20:08:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7367726CFF for ; Wed, 9 May 2018 20:08:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964972AbeEIUIK (ORCPT ); Wed, 9 May 2018 16:08:10 -0400 Received: from mail-wm0-f66.google.com ([74.125.82.66]:54814 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934965AbeEIUII (ORCPT ); Wed, 9 May 2018 16:08:08 -0400 Received: by mail-wm0-f66.google.com with SMTP id f6-v6so480513wmc.4 for ; Wed, 09 May 2018 13:08:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=USV2YooxOXdn/hqTkTrmCSquIbrI5Ddhn49MpiU5baE=; b=hWyKN739N66EBG3wd4OwP4ZC+YLcvf40p4rhUgDon/LhzcvB+8UZssyRIK7s7M0T6d reoOrtXNznsGL6I8PVWjuA/AhKGbL0C+rOpkyQUpLbsQj18FukWtkgYwQ/MZe7n6kOKf Tc5EVBtNZMeCjYKLwbluJkaIj4jHAI+cX3JftkoRBfErsH2naRXvV7fQJXpUYRjHcasI i5xkQuEmquMtF1bVqhx5wtXIwWmnBncG05A+R5oG5d3PUJ65irr7JKqWT76PqfTEnyNr U9rI4gjkzA0hHdcqdCWWH/et5cLzahJyJxYEAxiE7iIbKm5iTvfmD4PdyuyOiWowSn3D U75w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=USV2YooxOXdn/hqTkTrmCSquIbrI5Ddhn49MpiU5baE=; b=izisgDFpNNsP1NHF5UwOAnZQAUrIdN0gWSnFp70tU0pissxwl+RQOUNH4GzVZ5ly+e qdIlxR9YzpjpjR2x+1U3+p18SBn0PqQVVWCeVvkCl4lEBwg+aIb3cDL1fB5VwnFVaScD 1U3/Qeq9QCvUag7iVgkwfvsL/tqRFuvwnzPSofZDi4pX8Vvc7gqIXLMyyU0z/lOjF2s0 I4WlTMCRtMt381fktvOjawyqfCPL0S6rr4sGYyUTSE3tiChNsQB0755RtuCdmpqNSEw/ xZnrR84N1MVuuj+r4iB6ULiioic1NNTSjw6HqXVxVvsmgY8AlWhs7/qn3QXtkgYfr+P3 sSQw== X-Gm-Message-State: ALKqPwdlUl709XxueldB247wj67p2EGKGftzVEklrzrkeevJ+7GfOAsl J3uApmMZgJ4zGfDCwEOvfrJ6EA== X-Google-Smtp-Source: AB8JxZrR3NR4HOqzSBUAczCahjWZl+7uuekLROXPEkbr+2tWb/yC8k7tSdbS2yikDu1sSBI1mOS79w== X-Received: by 2002:a1c:5cd5:: with SMTP id q204-v6mr6243374wmb.158.1525896486864; Wed, 09 May 2018 13:08:06 -0700 (PDT) Received: from dvbdev.wuest.de (ip-176-199-71-134.hsi06.unitymediagroup.de. [176.199.71.134]) by smtp.gmail.com with ESMTPSA id b66sm17813037wma.48.2018.05.09.13.08.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 May 2018 13:08:06 -0700 (PDT) From: Daniel Scheller To: linux-media@vger.kernel.org, mchehab@kernel.org, mchehab@s-opensource.com, mchehab+samsung@kernel.org Cc: Ralph Metzler Subject: [PATCH 1/4] [media] ddbridge/mci: protect against out-of-bounds array access in stop() Date: Wed, 9 May 2018 22:08:00 +0200 Message-Id: <20180509200803.5253-2-d.scheller.oss@gmail.com> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180509200803.5253-1-d.scheller.oss@gmail.com> References: <20180509200803.5253-1-d.scheller.oss@gmail.com> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Daniel Scheller In stop(), an (unlikely) out-of-bounds write error can occur when setting the demod_in_use element indexed by state->demod to zero, as state->demod isn't checked for being in the range of the array size of demod_in_use, and state->demod maybe carrying the magic 0xff (demod unused) value. Prevent this by checking state->demod not exceeding the array size before setting the element value. To make the code a bit easier to read, replace the magic value and the number of array elements with defines, and use them at a few more places. Detected by CoverityScan, CID#1468550 ("Out-of-bounds write") Thanks to Colin for reporting the problem and providing an initial patch. Fixes: daeeb1319e6f ("media: ddbridge: initial support for MCI-based MaxSX8 cards") Reported-by: Colin Ian King Cc: Ralph Metzler Signed-off-by: Daniel Scheller --- drivers/media/pci/ddbridge/ddbridge-mci.c | 21 +++++++++++---------- drivers/media/pci/ddbridge/ddbridge-mci.h | 4 ++++ 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/drivers/media/pci/ddbridge/ddbridge-mci.c b/drivers/media/pci/ddbridge/ddbridge-mci.c index a85ff3e6b919..8d9592e75ad5 100644 --- a/drivers/media/pci/ddbridge/ddbridge-mci.c +++ b/drivers/media/pci/ddbridge/ddbridge-mci.c @@ -38,10 +38,10 @@ struct mci_base { struct mutex mci_lock; /* concurrent MCI access lock */ int count; - u8 tuner_use_count[4]; - u8 assigned_demod[8]; - u32 used_ldpc_bitrate[8]; - u8 demod_in_use[8]; + u8 tuner_use_count[MCI_TUNER_MAX]; + u8 assigned_demod[MCI_DEMOD_MAX]; + u32 used_ldpc_bitrate[MCI_DEMOD_MAX]; + u8 demod_in_use[MCI_DEMOD_MAX]; u32 iq_mode; }; @@ -193,7 +193,7 @@ static int stop(struct dvb_frontend *fe) u32 input = state->tuner; memset(&cmd, 0, sizeof(cmd)); - if (state->demod != 0xff) { + if (state->demod != DEMOD_UNUSED) { cmd.command = MCI_CMD_STOP; cmd.demod = state->demod; mci_cmd(state, &cmd, NULL); @@ -209,10 +209,11 @@ static int stop(struct dvb_frontend *fe) state->base->tuner_use_count[input]--; if (!state->base->tuner_use_count[input]) mci_set_tuner(fe, input, 0); - state->base->demod_in_use[state->demod] = 0; + if (state->demod < MCI_DEMOD_MAX) + state->base->demod_in_use[state->demod] = 0; state->base->used_ldpc_bitrate[state->nr] = 0; - state->demod = 0xff; - state->base->assigned_demod[state->nr] = 0xff; + state->demod = DEMOD_UNUSED; + state->base->assigned_demod[state->nr] = DEMOD_UNUSED; state->base->iq_mode = 0; mutex_unlock(&state->base->tuner_lock); state->started = 0; @@ -250,7 +251,7 @@ static int start(struct dvb_frontend *fe, u32 flags, u32 modmask, u32 ts_config) stat = -EBUSY; goto unlock; } - for (i = 0; i < 8; i++) { + for (i = 0; i < MCI_DEMOD_MAX; i++) { used_ldpc_bitrate += state->base->used_ldpc_bitrate[i]; if (state->base->demod_in_use[i]) used_demods++; @@ -342,7 +343,7 @@ static int start_iq(struct dvb_frontend *fe, u32 ts_config) stat = -EBUSY; goto unlock; } - for (i = 0; i < 8; i++) + for (i = 0; i < MCI_DEMOD_MAX; i++) if (state->base->demod_in_use[i]) used_demods++; if (used_demods > 0) { diff --git a/drivers/media/pci/ddbridge/ddbridge-mci.h b/drivers/media/pci/ddbridge/ddbridge-mci.h index c4193c5ee095..453dcb9f8208 100644 --- a/drivers/media/pci/ddbridge/ddbridge-mci.h +++ b/drivers/media/pci/ddbridge/ddbridge-mci.h @@ -19,6 +19,10 @@ #ifndef _DDBRIDGE_MCI_H_ #define _DDBRIDGE_MCI_H_ +#define MCI_DEMOD_MAX 8 +#define MCI_TUNER_MAX 4 +#define DEMOD_UNUSED (0xFF) + #define MCI_CONTROL (0x500) #define MCI_COMMAND (0x600) #define MCI_RESULT (0x680)