git.baikalelectronics.ru Git - kernel.git/commit

media: pvrusb2: Prevent a buffer overflow

The ctrl_check_input() function is called from pvr2_ctrl_range_check().
It's supposed to validate user supplied input and return true or false
depending on whether the input is valid or not.  The problem is that
negative shifts or shifts greater than 31 are undefined in C.  In
practice with GCC they result in shift wrapping so this function returns
true for some inputs which are not valid and this could result in a
buffer overflow:

    drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
    warn: uncapped user index 'names[val]'

The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
and the highest valid bit is BIT(4).

Fixes: c5a16ca6da0d ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

author	Dan Carpenter <dan.carpenter@oracle.com>
	Mon, 8 Apr 2019 09:52:38 +0000 (05:52 -0400)
committer	Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
	Mon, 22 Apr 2019 15:45:08 +0000 (11:45 -0400)
commit	c4f9c69de6515e0979a5448faf05be9f87233529
tree	c6a1fb692a5465ff38c3f22180f29bc0de07e6c7	tree \| snapshot
parent	b4c9cb6e069ec2587b395a39df974a5a8a7fa374	commit \| diff

drivers/media/usb/pvrusb2/pvrusb2-hdw.c		diff \| blob \| history
drivers/media/usb/pvrusb2/pvrusb2-hdw.h		diff \| blob \| history