This is an automatic generated email to let you know that the following patch 
were queued:

Subject: media: adv7604: Prevent out of bounds access
Author:  Dan Carpenter <dan.carpen...@oracle.com>
Date:    Fri Aug 4 04:07:51 2017 -0400

These can only be accessed with CAP_SYS_ADMIN so it's not a critical
security issue.  The problem is that "page" is controlled by the user in
the ioctl().  The test to see if the bit is set in state->info->page_mask
is not sufficient because "page" can be very high and shift wrap around
to a bit which is set.

Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
Signed-off-by: Hans Verkuil <hans.verk...@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mche...@s-opensource.com>

 drivers/media/i2c/adv7604.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

---

diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
index 324d39bd68d0..f289b8aca1da 100644
--- a/drivers/media/i2c/adv7604.c
+++ b/drivers/media/i2c/adv7604.c
@@ -618,7 +618,7 @@ static int adv76xx_read_reg(struct v4l2_subdev *sd, 
unsigned int reg)
        unsigned int val;
        int err;
 
-       if (!(BIT(page) & state->info->page_mask))
+       if (page >= ADV76XX_PAGE_MAX || !(BIT(page) & state->info->page_mask))
                return -EINVAL;
 
        reg &= 0xff;
@@ -633,7 +633,7 @@ static int adv76xx_write_reg(struct v4l2_subdev *sd, 
unsigned int reg, u8 val)
        struct adv76xx_state *state = to_state(sd);
        unsigned int page = reg >> 8;
 
-       if (!(BIT(page) & state->info->page_mask))
+       if (page >= ADV76XX_PAGE_MAX || !(BIT(page) & state->info->page_mask))
                return -EINVAL;
 
        reg &= 0xff;

_______________________________________________
linuxtv-commits mailing list
linuxtv-commits@linuxtv.org
https://www.linuxtv.org/cgi-bin/mailman/listinfo/linuxtv-commits

Reply via email to