Patchwork [maverick,maverick/ti-omap4,natty,natty/ti-omap4,CVE,1/1] si4713-i2c: avoid potential buffer overflow on si4713

login
register
mail settings
Submitter Andy Whitcroft
Date Sept. 19, 2011, 9:47 a.m.
Message ID <1316425679-31122-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/115314/
State New
Headers show

Comments

Andy Whitcroft - Sept. 19, 2011, 9:47 a.m.
From: Mauro Carvalho Chehab <mchehab@redhat.com>

While compiling it with Fedora 15, I noticed this issue:

  inlined from ‘si4713_write_econtrol_string’ at drivers/media/radio/si4713-i2c.c:1065:24:
  arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct

Cc: stable@kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Acked-by: Sakari Ailus <sakari.ailus@maxwell.research.nokia.com>
Acked-by: Eduardo Valentin <edubezval@gmail.com>
Reviewed-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry picked from commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6)
CVE-2011-2700
BugLink: http://bugs.launchpad.net/bugs/844370
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 drivers/media/radio/si4713-i2c.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)
Stefan Bader - Sept. 19, 2011, 9:52 a.m.
On 19.09.2011 11:47, Andy Whitcroft wrote:
> From: Mauro Carvalho Chehab <mchehab@redhat.com>
> 
> While compiling it with Fedora 15, I noticed this issue:
> 
>   inlined from ‘si4713_write_econtrol_string’ at drivers/media/radio/si4713-i2c.c:1065:24:
>   arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct
> 
> Cc: stable@kernel.org
> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
> Acked-by: Sakari Ailus <sakari.ailus@maxwell.research.nokia.com>
> Acked-by: Eduardo Valentin <edubezval@gmail.com>
> Reviewed-by: Eugene Teo <eugeneteo@kernel.sg>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> (cherry picked from commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6)
> CVE-2011-2700
> BugLink: http://bugs.launchpad.net/bugs/844370
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  drivers/media/radio/si4713-i2c.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/media/radio/si4713-i2c.c b/drivers/media/radio/si4713-i2c.c
> index ab63dd5..6ce2fb1 100644
> --- a/drivers/media/radio/si4713-i2c.c
> +++ b/drivers/media/radio/si4713-i2c.c
> @@ -1004,7 +1004,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev,
>  		char ps_name[MAX_RDS_PS_NAME + 1];
>  
>  		len = control->size - 1;
> -		if (len > MAX_RDS_PS_NAME) {
> +		if (len < 0 || len > MAX_RDS_PS_NAME) {
>  			rval = -ERANGE;
>  			goto exit;
>  		}
> @@ -1026,7 +1026,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev,
>  		char radio_text[MAX_RDS_RADIO_TEXT + 1];
>  
>  		len = control->size - 1;
> -		if (len > MAX_RDS_RADIO_TEXT) {
> +		if (len < 0 || len > MAX_RDS_RADIO_TEXT) {
>  			rval = -ERANGE;
>  			goto exit;
>  		}

Looks reasonable. Clean pick...

Acked-by: Stefan Bader <smb@canonical.com>

Patch

diff --git a/drivers/media/radio/si4713-i2c.c b/drivers/media/radio/si4713-i2c.c
index ab63dd5..6ce2fb1 100644
--- a/drivers/media/radio/si4713-i2c.c
+++ b/drivers/media/radio/si4713-i2c.c
@@ -1004,7 +1004,7 @@  static int si4713_write_econtrol_string(struct si4713_device *sdev,
 		char ps_name[MAX_RDS_PS_NAME + 1];
 
 		len = control->size - 1;
-		if (len > MAX_RDS_PS_NAME) {
+		if (len < 0 || len > MAX_RDS_PS_NAME) {
 			rval = -ERANGE;
 			goto exit;
 		}
@@ -1026,7 +1026,7 @@  static int si4713_write_econtrol_string(struct si4713_device *sdev,
 		char radio_text[MAX_RDS_RADIO_TEXT + 1];
 
 		len = control->size - 1;
-		if (len > MAX_RDS_RADIO_TEXT) {
+		if (len < 0 || len > MAX_RDS_RADIO_TEXT) {
 			rval = -ERANGE;
 			goto exit;
 		}