84 lines
2.4 KiB
Diff
84 lines
2.4 KiB
Diff
|
From: Malcolm Priestley <tvboxspy@gmail.com>
|
||
|
Date: Tue, 26 Sep 2017 17:10:20 -0400
|
||
|
Subject: [1/2] media: dvb-usb-v2: lmedm04: Improve logic checking of warm
|
||
|
start
|
||
|
Origin: https://git.linuxtv.org/media_tree.git/commit?id=3d932ee27e852e4904647f15b64dedca51187ad7
|
||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16538
|
||
|
|
||
|
Warm start has no check as whether a genuine device has
|
||
|
connected and proceeds to next execution path.
|
||
|
|
||
|
Check device should read 0x47 at offset of 2 on USB descriptor read
|
||
|
and it is the amount requested of 6 bytes.
|
||
|
|
||
|
Fix for
|
||
|
kasan: CONFIG_KASAN_INLINE enabled
|
||
|
kasan: GPF could be caused by NULL-ptr deref or user memory access as
|
||
|
|
||
|
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||
|
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
|
||
|
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
||
|
---
|
||
|
drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++--------
|
||
|
1 file changed, 18 insertions(+), 8 deletions(-)
|
||
|
|
||
|
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||
|
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||
|
@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb
|
||
|
|
||
|
static int lme2510_return_status(struct dvb_usb_device *d)
|
||
|
{
|
||
|
- int ret = 0;
|
||
|
+ int ret;
|
||
|
u8 *data;
|
||
|
|
||
|
- data = kzalloc(10, GFP_KERNEL);
|
||
|
+ data = kzalloc(6, GFP_KERNEL);
|
||
|
if (!data)
|
||
|
return -ENOMEM;
|
||
|
|
||
|
- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
|
||
|
- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
|
||
|
- info("Firmware Status: %x (%x)", ret , data[2]);
|
||
|
+ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
|
||
|
+ 0x06, 0x80, 0x0302, 0x00,
|
||
|
+ data, 0x6, 200);
|
||
|
+ if (ret != 6)
|
||
|
+ ret = -EINVAL;
|
||
|
+ else
|
||
|
+ ret = data[2];
|
||
|
+
|
||
|
+ info("Firmware Status: %6ph", data);
|
||
|
|
||
|
- ret = (ret < 0) ? -ENODEV : data[2];
|
||
|
kfree(data);
|
||
|
return ret;
|
||
|
}
|
||
|
@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(str
|
||
|
static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
|
||
|
{
|
||
|
struct lme2510_state *st = d->priv;
|
||
|
+ int status;
|
||
|
|
||
|
usb_reset_configuration(d->udev);
|
||
|
|
||
|
@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct
|
||
|
|
||
|
st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
|
||
|
|
||
|
- if (lme2510_return_status(d) == 0x44) {
|
||
|
+ status = lme2510_return_status(d);
|
||
|
+ if (status == 0x44) {
|
||
|
*name = lme_firmware_switch(d, 0);
|
||
|
return COLD;
|
||
|
}
|
||
|
|
||
|
- return 0;
|
||
|
+ if (status != 0x47)
|
||
|
+ return -EINVAL;
|
||
|
+
|
||
|
+ return WARM;
|
||
|
}
|
||
|
|
||
|
static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
|