This is an automatic generated email to let you know that the following patch
were queued:
Subject: media: adv7604: Prevent out of bounds access
Author: Dan Carpenter <dan.carpen...@oracle.com>
Date: Fri Aug 4 04:07:51 2017 -0400
These can only be accessed with CAP_SYS_ADMIN so it's not a critical
security issue. The problem is that "page" is controlled by the user in
the ioctl(). The test to see if the bit is set in state->info->page_mask
is not sufficient because "page" can be very high and shift wrap around
to a bit which is set.
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
Signed-off-by: Hans Verkuil <hans.verk...@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mche...@s-opensource.com>
drivers/media/i2c/adv7604.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
index 324d39bd68d0..f289b8aca1da 100644
--- a/drivers/media/i2c/adv7604.c
+++ b/drivers/media/i2c/adv7604.c
@@ -618,7 +618,7 @@ static int adv76xx_read_reg(struct v4l2_subdev *sd,
unsigned int reg)
unsigned int val;
int err;
- if (!(BIT(page) & state->info->page_mask))
+ if (page >= ADV76XX_PAGE_MAX || !(BIT(page) & state->info->page_mask))
return -EINVAL;
reg &= 0xff;
@@ -633,7 +633,7 @@ static int adv76xx_write_reg(struct v4l2_subdev *sd,
unsigned int reg, u8 val)
struct adv76xx_state *state = to_state(sd);
unsigned int page = reg >> 8;
- if (!(BIT(page) & state->info->page_mask))
+ if (page >= ADV76XX_PAGE_MAX || !(BIT(page) & state->info->page_mask))
return -EINVAL;
reg &= 0xff;
_______________________________________________
linuxtv-commits mailing list
linuxtv-commits@linuxtv.org
https://www.linuxtv.org/cgi-bin/mailman/listinfo/linuxtv-commits
