Stop stack smash for several DVB devices (rhbz 1265978)

1 files changed, 39 insertions, 0 deletions

diff --git a/si2157-Bounds-check-firmware.patch b/si2157-Bounds-check-firmware.patch
new file mode 100644
index 000000000..284006160
--- /dev/null
+++ b/si2157-Bounds-check-firmware.patch
@@ -0,0 +1,39 @@
+From 526fbce5b0e44c67a97c57656b3be9911f0a9b9b Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@fedoraproject.org>
+Date: Tue, 29 Sep 2015 16:59:20 -0700
+Subject: [PATCH 2/2] si2157: Bounds check firmware
+To: Antti Palosaari <crope@iki.fi>
+To: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Cc: Olli Salonen <olli.salonen@iki.fi>
+Cc: linux-media@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+
+When reading the firmware and sending commands, the length
+must be bounds checked to avoid overrunning the size of the command
+buffer and smashing the stack if the firmware is not in the
+expected format. Add the proper check.
+
+Cc: stable@kernel.org
+Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
+---
+ drivers/media/tuners/si2157.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
+index 5073821..ce157ed 100644
+--- a/drivers/media/tuners/si2157.c
++++ b/drivers/media/tuners/si2157.c
+@@ -166,6 +166,10 @@ static int si2157_init(struct dvb_frontend *fe)
+ 
+ 	for (remaining = fw->size; remaining > 0; remaining -= 17) {
+ 		len = fw->data[fw->size - remaining];
++		if (len > SI2157_ARGLEN) {
++			dev_err(&client->dev, "Bad firmware length\n");
++			goto err_release_firmware;
++		}
+ 		memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
+ 		cmd.wlen = len;
+ 		cmd.rlen = 1;
+-- 
+2.4.3
+