Dan Carpenter 35d2969ea3 media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()
The bounds checking in avc_ca_pmt() is not strict enough.  It should
be checking "read_pos + 4" because it's reading 5 bytes.  If the
"es_info_length" is non-zero then it reads a 6th byte so there needs to
be an additional check for that.

I also added checks for the "write_pos".  I don't think these are
required because "read_pos" and "write_pos" are tied together so
checking one ought to be enough.  But they make the code easier to
understand for me.  The check on write_pos is:

	if (write_pos + 4 >= sizeof(c->operand) - 4) {

The first "+ 4" is because we're writing 5 bytes and the last " - 4"
is to leave space for the CRC.

The other problem is that "length" can be invalid.  It comes from
"data_length" in fdtv_ca_pmt().

Cc: stable@vger.kernel.org
Reported-by: Luo Likang <luolikang@nsfocus.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
2021-09-30 10:07:54 +02:00

256 lines
5.5 KiB
C

// SPDX-License-Identifier: GPL-2.0-or-later
/*
* FireDTV driver (formerly known as FireSAT)
*
* Copyright (C) 2004 Andreas Monitzer <andy@monitzer.com>
* Copyright (C) 2008 Henrik Kurelid <henrik@kurelid.se>
*/
#include <linux/device.h>
#include <linux/dvb/ca.h>
#include <linux/fs.h>
#include <linux/module.h>
#include <media/dvbdev.h>
#include "firedtv.h"
#define EN50221_TAG_APP_INFO_ENQUIRY 0x9f8020
#define EN50221_TAG_CA_INFO_ENQUIRY 0x9f8030
#define EN50221_TAG_CA_PMT 0x9f8032
#define EN50221_TAG_ENTER_MENU 0x9f8022
static int fdtv_ca_ready(struct firedtv_tuner_status *stat)
{
return stat->ca_initialization_status == 1 &&
stat->ca_error_flag == 0 &&
stat->ca_dvb_flag == 1 &&
stat->ca_module_present_status == 1;
}
static int fdtv_get_ca_flags(struct firedtv_tuner_status *stat)
{
int flags = 0;
if (stat->ca_module_present_status == 1)
flags |= CA_CI_MODULE_PRESENT;
if (stat->ca_initialization_status == 1 &&
stat->ca_error_flag == 0 &&
stat->ca_dvb_flag == 1)
flags |= CA_CI_MODULE_READY;
return flags;
}
static int fdtv_ca_get_caps(void *arg)
{
struct ca_caps *cap = arg;
cap->slot_num = 1;
cap->slot_type = CA_CI;
cap->descr_num = 1;
cap->descr_type = CA_ECD;
return 0;
}
static int fdtv_ca_get_slot_info(struct firedtv *fdtv, void *arg)
{
struct firedtv_tuner_status stat;
struct ca_slot_info *slot = arg;
int err;
err = avc_tuner_status(fdtv, &stat);
if (err)
return err;
if (slot->num != 0)
return -EACCES;
slot->type = CA_CI;
slot->flags = fdtv_get_ca_flags(&stat);
return 0;
}
static int fdtv_ca_app_info(struct firedtv *fdtv, void *arg)
{
struct ca_msg *reply = arg;
return avc_ca_app_info(fdtv, reply->msg, &reply->length);
}
static int fdtv_ca_info(struct firedtv *fdtv, void *arg)
{
struct ca_msg *reply = arg;
return avc_ca_info(fdtv, reply->msg, &reply->length);
}
static int fdtv_ca_get_mmi(struct firedtv *fdtv, void *arg)
{
struct ca_msg *reply = arg;
return avc_ca_get_mmi(fdtv, reply->msg, &reply->length);
}
static int fdtv_ca_get_msg(struct firedtv *fdtv, void *arg)
{
struct firedtv_tuner_status stat;
int err;
switch (fdtv->ca_last_command) {
case EN50221_TAG_APP_INFO_ENQUIRY:
err = fdtv_ca_app_info(fdtv, arg);
break;
case EN50221_TAG_CA_INFO_ENQUIRY:
err = fdtv_ca_info(fdtv, arg);
break;
default:
err = avc_tuner_status(fdtv, &stat);
if (err)
break;
if (stat.ca_mmi == 1)
err = fdtv_ca_get_mmi(fdtv, arg);
else {
dev_info(fdtv->device, "unhandled CA message 0x%08x\n",
fdtv->ca_last_command);
err = -EACCES;
}
}
fdtv->ca_last_command = 0;
return err;
}
static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
{
struct ca_msg *msg = arg;
int data_pos;
int data_length;
int i;
data_pos = 4;
if (msg->msg[3] & 0x80) {
data_length = 0;
for (i = 0; i < (msg->msg[3] & 0x7f); i++)
data_length = (data_length << 8) + msg->msg[data_pos++];
} else {
data_length = msg->msg[3];
}
if (data_length > sizeof(msg->msg) - data_pos)
return -EINVAL;
return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
}
static int fdtv_ca_send_msg(struct firedtv *fdtv, void *arg)
{
struct ca_msg *msg = arg;
int err;
/* Do we need a semaphore for this? */
fdtv->ca_last_command =
(msg->msg[0] << 16) + (msg->msg[1] << 8) + msg->msg[2];
switch (fdtv->ca_last_command) {
case EN50221_TAG_CA_PMT:
err = fdtv_ca_pmt(fdtv, arg);
break;
case EN50221_TAG_APP_INFO_ENQUIRY:
/* handled in ca_get_msg */
err = 0;
break;
case EN50221_TAG_CA_INFO_ENQUIRY:
/* handled in ca_get_msg */
err = 0;
break;
case EN50221_TAG_ENTER_MENU:
err = avc_ca_enter_menu(fdtv);
break;
default:
dev_err(fdtv->device, "unhandled CA message 0x%08x\n",
fdtv->ca_last_command);
err = -EACCES;
}
return err;
}
static int fdtv_ca_ioctl(struct file *file, unsigned int cmd, void *arg)
{
struct dvb_device *dvbdev = file->private_data;
struct firedtv *fdtv = dvbdev->priv;
struct firedtv_tuner_status stat;
int err;
switch (cmd) {
case CA_RESET:
err = avc_ca_reset(fdtv);
break;
case CA_GET_CAP:
err = fdtv_ca_get_caps(arg);
break;
case CA_GET_SLOT_INFO:
err = fdtv_ca_get_slot_info(fdtv, arg);
break;
case CA_GET_MSG:
err = fdtv_ca_get_msg(fdtv, arg);
break;
case CA_SEND_MSG:
err = fdtv_ca_send_msg(fdtv, arg);
break;
default:
dev_info(fdtv->device, "unhandled CA ioctl %u\n", cmd);
err = -EOPNOTSUPP;
}
/* FIXME Is this necessary? */
avc_tuner_status(fdtv, &stat);
return err;
}
static __poll_t fdtv_ca_io_poll(struct file *file, poll_table *wait)
{
return EPOLLIN;
}
static const struct file_operations fdtv_ca_fops = {
.owner = THIS_MODULE,
.unlocked_ioctl = dvb_generic_ioctl,
.open = dvb_generic_open,
.release = dvb_generic_release,
.poll = fdtv_ca_io_poll,
.llseek = noop_llseek,
};
static const struct dvb_device fdtv_ca = {
.users = 1,
.readers = 1,
.writers = 1,
.fops = &fdtv_ca_fops,
.kernel_ioctl = fdtv_ca_ioctl,
};
int fdtv_ca_register(struct firedtv *fdtv)
{
struct firedtv_tuner_status stat;
int err;
if (avc_tuner_status(fdtv, &stat))
return -EINVAL;
if (!fdtv_ca_ready(&stat))
return -EFAULT;
err = dvb_register_device(&fdtv->adapter, &fdtv->cadev,
&fdtv_ca, fdtv, DVB_DEVICE_CA, 0);
if (stat.ca_application_info == 0)
dev_err(fdtv->device, "CaApplicationInfo is not set\n");
if (stat.ca_date_time_request == 1)
avc_ca_get_time_date(fdtv, &fdtv->ca_time_interval);
return err;
}
void fdtv_ca_release(struct firedtv *fdtv)
{
dvb_unregister_device(fdtv->cadev);
}