Stop stack smash for several DVB devices (rhbz 1265978)
This commit is contained in:
Laura Abbott
parent
a2857988cd
commit
96e3605239
11
kernel.spec
11
kernel.spec
|
|
@ -664,6 +664,10 @@ Patch532: Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
|
|||
Patch534: inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
|
||||
Patch535: inet-fix-race-in-reqsk_queue_unlink.patch
|
||||
|
||||
#rhbz 1265978
|
||||
Patch536: si2168-Bounds-check-firmware.patch
|
||||
Patch537: si2157-Bounds-check-firmware.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1446,6 +1450,10 @@ ApplyPatch Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
|
|||
ApplyPatch inet-fix-potential-deadlock-in-reqsk_queue_unlink.patch
|
||||
ApplyPatch inet-fix-race-in-reqsk_queue_unlink.patch
|
||||
|
||||
#rhbz 1265978
|
||||
ApplyPatch si2168-Bounds-check-firmware.patch
|
||||
ApplyPatch si2157-Bounds-check-firmware.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2296,6 +2304,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Oct 05 2015 Laura Abbott <labbott@fedoraproject.org>
|
||||
- Stop stack smash for several DVB devices (rhbz 1265978)
|
||||
|
||||
* Mon Oct 05 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.1.10-200
|
||||
- Linxu v4.1.10
|
||||
- Add patch to fix soft lockups in network stack (rhbz 1266691)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,39 @@
|
|||
From 526fbce5b0e44c67a97c57656b3be9911f0a9b9b Mon Sep 17 00:00:00 2001
|
||||
From: Laura Abbott <labbott@fedoraproject.org>
|
||||
Date: Tue, 29 Sep 2015 16:59:20 -0700
|
||||
Subject: [PATCH 2/2] si2157: Bounds check firmware
|
||||
To: Antti Palosaari <crope@iki.fi>
|
||||
To: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
Cc: Olli Salonen <olli.salonen@iki.fi>
|
||||
Cc: linux-media@vger.kernel.org
|
||||
Cc: linux-kernel@vger.kernel.org
|
||||
|
||||
When reading the firmware and sending commands, the length
|
||||
must be bounds checked to avoid overrunning the size of the command
|
||||
buffer and smashing the stack if the firmware is not in the
|
||||
expected format. Add the proper check.
|
||||
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
|
||||
---
|
||||
drivers/media/tuners/si2157.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
|
||||
index 5073821..ce157ed 100644
|
||||
--- a/drivers/media/tuners/si2157.c
|
||||
+++ b/drivers/media/tuners/si2157.c
|
||||
@@ -166,6 +166,10 @@ static int si2157_init(struct dvb_frontend *fe)
|
||||
|
||||
for (remaining = fw->size; remaining > 0; remaining -= 17) {
|
||||
len = fw->data[fw->size - remaining];
|
||||
+ if (len > SI2157_ARGLEN) {
|
||||
+ dev_err(&client->dev, "Bad firmware length\n");
|
||||
+ goto err_release_firmware;
|
||||
+ }
|
||||
memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
|
||||
cmd.wlen = len;
|
||||
cmd.rlen = 1;
|
||||
--
|
||||
2.4.3
|
||||
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
From 43018528944fa4965a4048fee91d76b47dcaf60e Mon Sep 17 00:00:00 2001
|
||||
From: Laura Abbott <labbott@fedoraproject.org>
|
||||
Date: Mon, 28 Sep 2015 14:10:34 -0700
|
||||
Subject: [PATCH 1/2] si2168: Bounds check firmware
|
||||
To: Antti Palosaari <crope@iki.fi>
|
||||
To: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
Cc: Olli Salonen <olli.salonen@iki.fi>
|
||||
Cc: linux-media@vger.kernel.org
|
||||
Cc: linux-kernel@vger.kernel.org
|
||||
Cc: Stuart Auchterlonie <sauchter@redhat.com>
|
||||
|
||||
|
||||
When reading the firmware and sending commands, the length must
|
||||
be bounds checked to avoid overrunning the size of the command
|
||||
buffer and smashing the stack if the firmware is not in the expected
|
||||
format:
|
||||
|
||||
si2168 11-0064: found a 'Silicon Labs Si2168-B40'
|
||||
si2168 11-0064: downloading firmware from file 'dvb-demod-si2168-b40-01.fw'
|
||||
si2168 11-0064: firmware download failed -95
|
||||
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa085708f
|
||||
|
||||
Add the proper check.
|
||||
|
||||
Cc: stable@kernel.org
|
||||
Reported-by: Stuart Auchterlonie <sauchter@redhat.com>
|
||||
Reviewed-by: Antti Palosaari <crope@iki.fi>
|
||||
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
|
||||
---
|
||||
drivers/media/dvb-frontends/si2168.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c
|
||||
index 81788c5..821a8f4 100644
|
||||
--- a/drivers/media/dvb-frontends/si2168.c
|
||||
+++ b/drivers/media/dvb-frontends/si2168.c
|
||||
@@ -502,6 +502,10 @@ static int si2168_init(struct dvb_frontend *fe)
|
||||
/* firmware is in the new format */
|
||||
for (remaining = fw->size; remaining > 0; remaining -= 17) {
|
||||
len = fw->data[fw->size - remaining];
|
||||
+ if (len > SI2168_ARGLEN) {
|
||||
+ ret = -EINVAL;
|
||||
+ break;
|
||||
+ }
|
||||
memcpy(cmd.args, &fw->data[(fw->size - remaining) + 1], len);
|
||||
cmd.wlen = len;
|
||||
cmd.rlen = 1;
|
||||
--
|
||||
2.4.3
|
||||
|
||||
Loading…
Reference in New Issue