diff options
Diffstat (limited to 'si2168-Bounds-check-firmware.patch')
-rw-r--r-- | si2168-Bounds-check-firmware.patch | 50 |
1 files changed, 0 insertions, 50 deletions
diff --git a/si2168-Bounds-check-firmware.patch b/si2168-Bounds-check-firmware.patch deleted file mode 100644 index e9c5bcc50..000000000 --- a/si2168-Bounds-check-firmware.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 43018528944fa4965a4048fee91d76b47dcaf60e Mon Sep 17 00:00:00 2001 -From: Laura Abbott <labbott@fedoraproject.org> -Date: Mon, 28 Sep 2015 14:10:34 -0700 -Subject: [PATCH 1/2] si2168: Bounds check firmware -To: Antti Palosaari <crope@iki.fi> -To: Mauro Carvalho Chehab <mchehab@osg.samsung.com> -Cc: Olli Salonen <olli.salonen@iki.fi> -Cc: linux-media@vger.kernel.org -Cc: linux-kernel@vger.kernel.org -Cc: Stuart Auchterlonie <sauchter@redhat.com> - - -When reading the firmware and sending commands, the length must -be bounds checked to avoid overrunning the size of the command -buffer and smashing the stack if the firmware is not in the expected -format: - -si2168 11-0064: found a 'Silicon Labs Si2168-B40' -si2168 11-0064: downloading firmware from file 'dvb-demod-si2168-b40-01.fw' -si2168 11-0064: firmware download failed -95 -Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa085708f - -Add the proper check. - -Cc: stable@kernel.org -Reported-by: Stuart Auchterlonie <sauchter@redhat.com> -Reviewed-by: Antti Palosaari <crope@iki.fi> -Signed-off-by: Laura Abbott <labbott@fedoraproject.org> ---- - drivers/media/dvb-frontends/si2168.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c -index 81788c5..821a8f4 100644 ---- a/drivers/media/dvb-frontends/si2168.c -+++ b/drivers/media/dvb-frontends/si2168.c -@@ -502,6 +502,10 @@ static int si2168_init(struct dvb_frontend *fe) - /* firmware is in the new format */ - for (remaining = fw->size; remaining > 0; remaining -= 17) { - len = fw->data[fw->size - remaining]; -+ if (len > SI2168_ARGLEN) { -+ ret = -EINVAL; -+ break; -+ } - memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len); - cmd.wlen = len; - cmd.rlen = 1; --- -2.4.3 - |