shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-11 13:27:06 +09:00
Code Issues Packages Projects Releases Wiki Activity

media: technisat-usb2: break out of loop at end of buffer (CVE-2019-15505)

Browse Source
This commit is contained in:
Salvatore Bonaccorso
2019-09-25 07:39:29 +02:00
parent b7fd95fa88
commit 0923139d76
3 changed files with 74 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
debian/changelog vendored
View File

@@ -511,6 +511,7 @@ linux (5.2.14-1) UNRELEASED; urgency=medium
* rsi: fix a double free bug in rsi_91x_deinit() (CVE-2019-15504)
* Btrfs: fix unwritten extent buffers and hangs on future writeback attempts
(Closes: #940105)
* media: technisat-usb2: break out of loop at end of buffer (CVE-2019-15505)
[ Romain Perier ]
* [rt] Update to 5.2.14-rt7

72
debian/patches/bugfix/all/media-technisat-usb2-break-out-of-loop-at-end-of-buf.patch vendored Normal file
View File

@@ -0,0 +1,72 @@
From: Sean Young <sean@mess.org>
Date: Wed, 3 Jul 2019 10:52:39 -0400
Subject: media: technisat-usb2: break out of loop at end of buffer
Origin: https://git.kernel.org/linus/0c4df39e504bf925ab666132ac3c98d6cbbe380b
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15505
Ensure we do not access the buffer beyond the end if no 0xff byte
is encountered.
Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
---
drivers/media/usb/dvb-usb/technisat-usb2.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
index c659e18b358b..676d233d46d5 100644
--- a/drivers/media/usb/dvb-usb/technisat-usb2.c
+++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
@@ -608,10 +608,9 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a)
static int technisat_usb2_get_ir(struct dvb_usb_device *d)
{
struct technisat_usb2_state *state = d->priv;
- u8 *buf = state->buf;
- u8 *b;
- int ret;
struct ir_raw_event ev;
+ u8 *buf = state->buf;
+ int i, ret;
buf[0] = GET_IR_DATA_VENDOR_REQUEST;
buf[1] = 0x08;
@@ -647,26 +646,25 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
return 0; /* no key pressed */
/* decoding */
- b = buf+1;
#if 0
deb_rc("RC: %d ", ret);
- debug_dump(b, ret, deb_rc);
+ debug_dump(buf + 1, ret, deb_rc);
#endif
ev.pulse = 0;
- while (1) {
- ev.pulse = !ev.pulse;
- ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000;
- ir_raw_event_store(d->rc_dev, &ev);
-
- b++;
- if (*b == 0xff) {
+ for (i = 1; i < ARRAY_SIZE(state->buf); i++) {
+ if (buf[i] == 0xff) {
ev.pulse = 0;
ev.duration = 888888*2;
ir_raw_event_store(d->rc_dev, &ev);
break;
}
+
+ ev.pulse = !ev.pulse;
+ ev.duration = (buf[i] * FIRMWARE_CLOCK_DIVISOR *
+ FIRMWARE_CLOCK_TICK) / 1000;
+ ir_raw_event_store(d->rc_dev, &ev);
}
ir_raw_event_handle(d->rc_dev);
--
2.20.1

1
debian/patches/series vendored
View File

@@ -147,6 +147,7 @@ debian/ntfs-mark-it-as-broken.patch
bugfix/all/vhost-make-sure-log_num-in_num.patch
bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch
bugfix/all/rsi-fix-a-double-free-bug-in-rsi_91x_deinit.patch
bugfix/all/media-technisat-usb2-break-out-of-loop-at-end-of-buf.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch