diff options
author | Laura Abbott <labbott@fedoraproject.org> | 2015-10-05 13:35:58 -0700 |
---|---|---|
committer | Laura Abbott <labbott@fedoraproject.org> | 2015-10-05 13:43:49 -0700 |
commit | cc35985a8e5bea8f0af9054cd1e64f2b32bbf097 (patch) | |
tree | 5424f3b50fa03c4cf04aec32248ef11fda0834b6 /si2157-Bounds-check-firmware.patch | |
parent | 15d3266c8ea8e556580514f98f287b86a96d761a (diff) | |
download | kernel-cc35985a8e5bea8f0af9054cd1e64f2b32bbf097.tar.gz kernel-cc35985a8e5bea8f0af9054cd1e64f2b32bbf097.tar.xz kernel-cc35985a8e5bea8f0af9054cd1e64f2b32bbf097.zip |
Stop stack smash for several DVB devices (rhbz 1265978)
Diffstat (limited to 'si2157-Bounds-check-firmware.patch')
-rw-r--r-- | si2157-Bounds-check-firmware.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/si2157-Bounds-check-firmware.patch b/si2157-Bounds-check-firmware.patch new file mode 100644 index 000000000..284006160 --- /dev/null +++ b/si2157-Bounds-check-firmware.patch @@ -0,0 +1,39 @@ +From 526fbce5b0e44c67a97c57656b3be9911f0a9b9b Mon Sep 17 00:00:00 2001 +From: Laura Abbott <labbott@fedoraproject.org> +Date: Tue, 29 Sep 2015 16:59:20 -0700 +Subject: [PATCH 2/2] si2157: Bounds check firmware +To: Antti Palosaari <crope@iki.fi> +To: Mauro Carvalho Chehab <mchehab@osg.samsung.com> +Cc: Olli Salonen <olli.salonen@iki.fi> +Cc: linux-media@vger.kernel.org +Cc: linux-kernel@vger.kernel.org + +When reading the firmware and sending commands, the length +must be bounds checked to avoid overrunning the size of the command +buffer and smashing the stack if the firmware is not in the +expected format. Add the proper check. + +Cc: stable@kernel.org +Signed-off-by: Laura Abbott <labbott@fedoraproject.org> +--- + drivers/media/tuners/si2157.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c +index 5073821..ce157ed 100644 +--- a/drivers/media/tuners/si2157.c ++++ b/drivers/media/tuners/si2157.c +@@ -166,6 +166,10 @@ static int si2157_init(struct dvb_frontend *fe) + + for (remaining = fw->size; remaining > 0; remaining -= 17) { + len = fw->data[fw->size - remaining]; ++ if (len > SI2157_ARGLEN) { ++ dev_err(&client->dev, "Bad firmware length\n"); ++ goto err_release_firmware; ++ } + memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); + cmd.wlen = len; + cmd.rlen = 1; +-- +2.4.3 + |