* [PATCH] media: firedtv: bound the CA reply length in avc_ca_app_info
@ 2026-07-01 8:28 Maoyi Xie
0 siblings, 0 replies; only message in thread
From: Maoyi Xie @ 2026-07-01 8:28 UTC (permalink / raw)
To: Stefan Richter, Mauro Carvalho Chehab
Cc: linux-media, linux1394-devel, linux-kernel
avc_ca_app_info() copies a device length from the CI-CAM response with no
bound check:
memcpy(&app_info[5], &r->operand[pos], 5 + r->operand[pos + 4]);
r->operand[pos + 4] is a byte the CAM controls, up to 255. app_info is the
256 byte msg[] of struct ca_msg, reached from userspace through the
CA_GET_MSG ioctl. The copy starts at offset 5 and runs 5 + that byte, so a
value above 246 overruns the buffer. A byte of 0xff writes about 9 bytes
past it.
The same idiom in avc_ca_pmt() was bounded for CVE-2021-42739 in
commit 35d2969ea3c7 ("media: firewire: firedtv-avc: fix a buffer overflow
in avc_ca_pmt()"). This reply path was left unbounded. It now returns
-EINVAL when the reported length would run past the 256 byte reply.
Fixes: 154907957f939 ("firedtv: massive refactoring")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
drivers/media/firewire/firedtv-avc.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index a36c284121702..d77b9b802eddb 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -971,7 +971,7 @@ int avc_ca_app_info(struct firedtv *fdtv, unsigned char *app_info,
{
struct avc_command_frame *c = (void *)fdtv->avc_data;
struct avc_response_frame *r = (void *)fdtv->avc_data;
- int pos, ret;
+ int pos, length, ret;
mutex_lock(&fdtv->avc_mutex);
@@ -995,12 +995,18 @@ int avc_ca_app_info(struct firedtv *fdtv, unsigned char *app_info,
/* FIXME: check response code and validate response data */
pos = get_ca_object_pos(r);
+ length = r->operand[pos + 4];
+ /* 5 header bytes then 5 + length bytes are written to app_info */
+ if (5 + 5 + length > 256) {
+ ret = -EINVAL;
+ goto out;
+ }
app_info[0] = (EN50221_TAG_APP_INFO >> 16) & 0xff;
app_info[1] = (EN50221_TAG_APP_INFO >> 8) & 0xff;
app_info[2] = (EN50221_TAG_APP_INFO >> 0) & 0xff;
- app_info[3] = 6 + r->operand[pos + 4];
+ app_info[3] = 6 + length;
app_info[4] = 0x01;
- memcpy(&app_info[5], &r->operand[pos], 5 + r->operand[pos + 4]);
+ memcpy(&app_info[5], &r->operand[pos], 5 + length);
*len = app_info[3] + 4;
out:
mutex_unlock(&fdtv->avc_mutex);
--
2.34.1
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-07-01 8:28 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-07-01 8:28 [PATCH] media: firedtv: bound the CA reply length in avc_ca_app_info Maoyi Xie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox