davidlt/kernel-ark
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
01a1a3cc1e
kernel-ark/drivers
History
Mauro Carvalho Chehab 01a1a3cc1e V4L/DVB (9624): CVE-2008-5033: fix OOPS on tvaudio when controlling bass/treble 
This bug were supposed to be fixed by 5ba2f67afb,
where a call to NULL happens.

Not all tvaudio chips allow controlling bass/treble. So, the driver
has a table with a flag to indicate if the chip does support it.

Unfortunately, the handling of this logic were broken for a very long
time (probably since the first module version). Due to that, an OOPS
were generated for devices that don't support bass/treble.

This were the resulting OOPS message before the patch, with debug messages
enabled:

tvaudio' 1-005b: VIDIOC_S_CTRL
BUG: unable to handle kernel NULL pointer dereference at 00000000
IP: [<00000000>]
*pde = 22fda067 *pte = 00000000
Oops: 0000 [#1] SMP
Modules linked in: snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device
snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_hwdep snd soundcore tuner_simple tuner_types tea5767 tuner
tvaudio bttv bridgebnep rfcomm l2cap bluetooth it87 hwmon_vid hwmon fuse sunrpc ipt_REJECT
nf_conntrack_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 xt_state nf_conntrack
ip6table_filter ip6_tables x_tables ipv6 dm_mirrordm_multipath dm_mod configfs videodev v4l1_compat
ir_common 8139cp compat_ioctl32 v4l2_common 8139too videobuf_dma_sg videobuf_core mii btcx_risc tveeprom
i915 button snd_page_alloc serio_raw drm pcspkr i2c_algo_bit i2c_i801 i2c_core iTCO_wdt
iTCO_vendor_support sr_mod cdrom sg ata_generic pata_acpi ata_piix libata sd_mod scsi_mod ext3 jbdmbcache
uhci_hcd ohci_hcd ehci_hcd [last unloaded: soundcore]

Pid: 15413, comm: qv4l2 Not tainted (2.6.25.14-108.fc9.i686 #1)
EIP: 0060:[<00000000>] EFLAGS: 00210246 CPU: 0
EIP is at 0x0
EAX: 00008000 EBX: ebd21600 ECX: e2fd9ec4 EDX: 00200046
ESI: f8c0f0c4 EDI: f8c0f0c4 EBP: e2fd9d50 ESP: e2fd9d2c
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process qv4l2 (pid: 15413, ti=e2fd9000 task=ebe44000 task.ti=e2fd9000)
Stack: f8c0c6ae e2ff2a00 00000d00 e2fd9ec4 ebc4e000 e2fd9d5c f8c0c448 00000000
       f899c12a e2fd9d5c f899c154 e2fd9d68 e2fd9d80 c0560185 e2fd9d88 f8f3e1d8
       f8f3e1dc ebc4e034 f8f3e18c e2fd9ec4 00000000 e2fd9d90 f899c286 c008561c
Call Trace:
 [<f8c0c6ae>] ? chip_command+0x266/0x4b6 [tvaudio]
 [<f8c0c448>] ? chip_command+0x0/0x4b6 [tvaudio]
 [<f899c12a>] ? i2c_cmd+0x0/0x2f [i2c_core]
 [<f899c154>] ? i2c_cmd+0x2a/0x2f [i2c_core]
 [<c0560185>] ? device_for_each_child+0x21/0x49
 [<f899c286>] ? i2c_clients_command+0x1c/0x1e [i2c_core]
 [<f8f283d8>] ? bttv_call_i2c_clients+0x14/0x16 [bttv]
 [<f8f23601>] ? bttv_s_ctrl+0x1bc/0x313 [bttv]
 [<f8f23445>] ? bttv_s_ctrl+0x0/0x313 [bttv]
 [<f8b6096d>] ? __video_do_ioctl+0x1f84/0x3726 [videodev]
 [<c05abb4e>] ? sock_aio_write+0x100/0x10d
 [<c041b23e>] ? kmap_atomic_prot+0x1dd/0x1df
 [<c043a0c9>] ? enqueue_hrtimer+0xc2/0xcd
 [<c04f4fa4>] ? copy_from_user+0x39/0x121
 [<f8b622b9>] ? __video_ioctl2+0x1aa/0x24a [videodev]
 [<c04054fd>] ? do_notify_resume+0x768/0x795
 [<c043c0f7>] ? getnstimeofday+0x34/0xd1
 [<c0437b77>] ? autoremove_wake_function+0x0/0x33
 [<f8b62368>] ? video_ioctl2+0xf/0x13 [videodev]
 [<c048c6f0>] ? vfs_ioctl+0x50/0x69
 [<c048c942>] ? do_vfs_ioctl+0x239/0x24c
 [<c048c995>] ? sys_ioctl+0x40/0x5b
 [<c0405bf2>] ? syscall_call+0x7/0xb
 [<c0620000>] ? cpuid4_cache_sysfs_exit+0x3d/0x69
 =======================
Code:  Bad EIP value.
EIP: [<00000000>] 0x0 SS:ESP 0068:e2fd9d2c

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:39:47 -02:00
..
accessibility
acpi ACPI suspend: build fix for ACPI_SLEEP=n && XEN_SAVE_RESTORE=y. 2008-10-25 04:07:13 -04:00
amba
ata libata: fix last_reset timestamp handling 2008-11-11 03:01:21 -05:00
atm
auxdisplay
base sysfs: Fix return values for sysdev_store_{ulong,int} 2008-10-29 15:03:49 -07:00
block cciss: fix regression firmware not displayed in procfs 2008-11-06 15:41:18 -08:00
bluetooth bpa10x: free sk_buff with kfree_skb 2008-10-31 00:40:19 -07:00
cdrom gdrom: Fix compile error 2008-10-28 17:46:02 +09:00
char tty: trivial - fix up email addresses in tty related stuff 2008-11-11 09:30:10 -08:00
clocksource Merge branches 'timers/clocksource', 'timers/hrtimers', 'timers/nohz', 'timers/ntp', 'timers/posixtimers' and 'timers/debug' into v28-timers-for-linus 2008-10-20 13:14:06 +02:00
connector
cpufreq
cpuidle regression: disable timer peek-ahead for 2.6.28 2008-11-09 16:28:42 -08:00
crypto
dca [4/4] dca: fixup initialization dependency 2008-11-10 15:01:03 -08:00
dio
dma [3/4] I/OAT: fix async_tx.callback checking 2008-11-10 15:01:00 -08:00
edac edac: fix enabling of polling cell module 2008-10-30 11:38:46 -07:00
eisa
firewire firewire: struct device - replace bus_id with dev_name(), dev_set_name() 2008-10-31 08:48:25 +01:00
firmware trivial: dmi_scan typo 2008-11-07 08:25:43 -08:00
gpio mfd: twl4030-gpio driver 2008-10-22 01:19:39 +02:00
gpu drm/i915: Move legacy breadcrumb out of the reserved status page area 2008-11-11 18:03:28 +10:00
hid V4L/DVB (9337a): HID: Don't allow KWorld radio fm700 be handled by usb hid drivers 2008-11-11 08:09:43 -02:00
hwmon hwmon: applesmc: add support for iMac 8 2008-11-06 15:41:17 -08:00
i2c i2c-s3c2410: Correct use of ! and & 2008-10-30 15:55:47 +01:00
ide ide-gd: re-get capacity on revalidate 2008-11-02 21:40:10 +01:00
idle i7300_idle: Cleanup based review comments 2008-10-24 12:55:14 -04:00
ieee1394 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 2008-11-06 15:55:34 -08:00
infiniband saner FASYNC handling on file close 2008-11-01 09:49:46 -07:00
input saner FASYNC handling on file close 2008-11-01 09:49:46 -07:00
isdn
leds remove unused #include <version.h>'s 2008-11-01 09:50:12 -07:00
lguest
macintosh
mca
md md: linear: Fix a division by zero bug for very small arrays. 2008-11-06 19:41:24 +11:00
media V4L/DVB (9624): CVE-2008-5033: fix OOPS on tvaudio when controlling bass/treble 2008-11-14 14:39:47 -02:00
memstick [PATCH] switch memstick 2008-10-21 07:48:33 -04:00
message trivial: MPT fusion - remove long dead code 2008-11-07 08:25:43 -08:00
mfd missing dependencies on HAVE_CLK in drivers/mfd 2008-11-01 12:40:38 -07:00
misc remove unused #include <version.h>'s 2008-11-01 09:50:12 -07:00
mmc mmc: struct device - replace bus_id with dev_name(), dev_set_name() 2008-11-08 21:37:46 +01:00
mtd Merge git://git.infradead.org/mtd-2.6 2008-11-06 15:43:13 -08:00
net Merge branch 'davem-fixes' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6 2008-11-07 01:39:27 -08:00
nubus
of OF-device: Don't overwrite numa_node in device registration 2008-10-31 16:12:01 +11:00
oprofile oprofile: fix memory ordering 2008-10-27 19:15:41 +01:00
parisc [PATCH] introduce fmode_t, do annotations 2008-10-21 07:47:06 -04:00
parport Merge git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6 2008-10-30 12:52:53 -07:00
pci PCI: fix range check on mmapped sysfs resource files 2008-11-03 14:41:16 -08:00
pcmcia Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-10-31 16:18:02 +09:00
pnp drivers: remove duplicated #include 2008-11-04 08:18:19 -08:00
power Merge git://git.infradead.org/battery-2.6 2008-10-20 09:44:30 -07:00
ps3 powerpc/ps3: Fix compile error in ps3-lpm.c 2008-11-05 19:59:08 +11:00
rapidio
regulator regulator: Use menuconfig in Kconfig 2008-11-09 14:49:23 +00:00
rtc rtc-cmos: fix boot log message 2008-11-06 15:41:19 -08:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-10-30 11:46:28 -07:00
sbus drivers: remove duplicated #include 2008-11-04 08:18:19 -08:00
scsi saner FASYNC handling on file close 2008-11-01 09:49:46 -07:00
serial atmel_serial: keep clock off when it's not needed 2008-11-06 15:41:19 -08:00
sh
sn
spi Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core-2.6 2008-10-16 12:40:26 -07:00
ssb SSB: hide empty sub menu 2008-11-10 13:50:17 -08:00
staging Don't ask twice about not including staging drivers 2008-11-09 12:47:04 -08:00
tc
telephony telephony: trivial: fix up email address 2008-11-11 09:30:23 -08:00
thermal
uio saner FASYNC handling on file close 2008-11-01 09:49:46 -07:00
usb tty: trivial - fix up email addresses in tty related stuff 2008-11-11 09:30:10 -08:00
uwb uwb: wrong sizeof argument in mac address compare 2008-10-20 14:37:53 +01:00
video fbdev: fix fb_compat_ioctl() deadlocks 2008-11-06 15:41:19 -08:00
virtio
w1 x86: sysfs: kill owner field from attribute 2008-10-20 08:52:42 -07:00
watchdog Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc 2008-11-11 09:24:31 -08:00
xen drivers: remove duplicated #include 2008-11-04 08:18:19 -08:00
zorro
Kconfig regulator: Build on non-ARM platforms 2008-10-28 21:47:17 +00:00
Makefile Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/dvrabel/uwb 2008-10-26 16:35:46 -07:00