From patchwork Wed Jul 27 14:46:51 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 653373 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3rzyWG12h0z9t2N; Thu, 28 Jul 2016 00:47:06 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1bSQ6x-0001kY-Qy; Wed, 27 Jul 2016 14:47:03 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1bSQ6o-0001gH-Ax for kernel-team@lists.ubuntu.com; Wed, 27 Jul 2016 14:46:54 +0000 Received: from 1.general.henrix.uk.vpn ([10.172.192.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1bSQ6n-0007sj-Uc for kernel-team@lists.ubuntu.com; Wed, 27 Jul 2016 14:46:54 +0000 From: Luis Henriques To: kernel-team@lists.ubuntu.com Subject: [Precise] [media] mb86a20s: apply mask to val after checking for read failure Date: Wed, 27 Jul 2016 15:46:51 +0100 Message-Id: <1469630812-20452-2-git-send-email-luis.henriques@canonical.com> In-Reply-To: <1469630812-20452-1-git-send-email-luis.henriques@canonical.com> References: <1469630812-20452-1-git-send-email-luis.henriques@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Colin Ian King Appling the mask 0x0f to the immediate return of the call to mb86a20s_readreg will always result in a positive value, meaning that the check of ret < 0 will never work. Instead, check for a -ve return value first, and then mask val with 0x0f. Kudos to Mauro Carvalho Chehab for spotting the mistake in my original fix. Signed-off-by: Colin Ian King Signed-off-by: Mauro Carvalho Chehab (backported from commit eca2d34b9d2ce70165a50510659838e28ca22742) [ luis: - file moved (drivers/media/dvb/frontends/mb86a20s.c => drivers/media/dvb-frontends/mb86a20s.c) with commit 9a0bf528b4d6 ("[media] move the dvb/frontends to drivers/media/dvb-frontends") - added missing check for < 0, which was introduced by commit dd4493ef34cb ("[media] mb86a20s: Function reorder") ] CVE-2016-5400 Signed-off-by: Luis Henriques --- drivers/media/dvb/frontends/mb86a20s.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb/frontends/mb86a20s.c b/drivers/media/dvb/frontends/mb86a20s.c index 0f867a5055fb..d1ddba073252 100644 --- a/drivers/media/dvb/frontends/mb86a20s.c +++ b/drivers/media/dvb/frontends/mb86a20s.c @@ -461,10 +461,13 @@ static int mb86a20s_read_status(struct dvb_frontend *fe, fe_status_t *status) if (fe->ops.i2c_gate_ctrl) fe->ops.i2c_gate_ctrl(fe, 0); - val = mb86a20s_readreg(state, 0x0a) & 0xf; + val = mb86a20s_readreg(state, 0x0a); + if (val < 0) + return val; if (fe->ops.i2c_gate_ctrl) fe->ops.i2c_gate_ctrl(fe, 1); + val &= 0xf; if (val >= 2) *status |= FE_HAS_SIGNAL;