Commit 7cc7a833 authored by Dan Carpenter's avatar Dan Carpenter Committed by Mauro Carvalho Chehab
Browse files

media: adv7604: Prevent out of bounds access 



These can only be accessed with CAP_SYS_ADMIN so it's not a critical
security issue.  The problem is that "page" is controlled by the user in
the ioctl().  The test to see if the bit is set in state->info->page_mask
is not sufficient because "page" can be very high and shift wrap around
to a bit which is set.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
parent b050d46e

drivers/media/i2c/adv7604.c

+2 −2
Original line number Diff line number Diff line
@@ -618,7 +618,7 @@ static int adv76xx_read_reg(struct v4l2_subdev *sd, unsigned int reg) 
	unsigned int val;

	int err;



	if (!(BIT(page) & state->info->page_mask))

	if (page >= ADV76XX_PAGE_MAX || !(BIT(page) & state->info->page_mask))

		return -EINVAL;



	reg &= 0xff;
@@ -633,7 +633,7 @@ static int adv76xx_write_reg(struct v4l2_subdev *sd, unsigned int reg, u8 val) 
	struct adv76xx_state *state = to_state(sd);

	unsigned int page = reg >> 8;



	if (!(BIT(page) & state->info->page_mask))

	if (page >= ADV76XX_PAGE_MAX || !(BIT(page) & state->info->page_mask))

		return -EINVAL;



	reg &= 0xff;

CRA Git | Maintained and supported by SUSTech CRA and CCSE