mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
* [PATCH] media: firedtv: bound the CA reply length in avc_ca_app_info
@ 2026-07-01  8:28 Maoyi Xie
  0 siblings, 0 replies; only message in thread
From: Maoyi Xie @ 2026-07-01  8:28 UTC (permalink / raw)
  To: Stefan Richter, Mauro Carvalho Chehab
  Cc: linux-media, linux1394-devel, linux-kernel

avc_ca_app_info() copies a device length from the CI-CAM response with no
bound check:

	memcpy(&app_info[5], &r->operand[pos], 5 + r->operand[pos + 4]);

r->operand[pos + 4] is a byte the CAM controls, up to 255. app_info is the
256 byte msg[] of struct ca_msg, reached from userspace through the
CA_GET_MSG ioctl. The copy starts at offset 5 and runs 5 + that byte, so a
value above 246 overruns the buffer. A byte of 0xff writes about 9 bytes
past it.

The same idiom in avc_ca_pmt() was bounded for CVE-2021-42739 in
commit 35d2969ea3c7 ("media: firewire: firedtv-avc: fix a buffer overflow
in avc_ca_pmt()"). This reply path was left unbounded. It now returns
-EINVAL when the reported length would run past the 256 byte reply.

Fixes: 154907957f939 ("firedtv: massive refactoring")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 drivers/media/firewire/firedtv-avc.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index a36c284121702..d77b9b802eddb 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -971,7 +971,7 @@ int avc_ca_app_info(struct firedtv *fdtv, unsigned char *app_info,
 {
 	struct avc_command_frame *c = (void *)fdtv->avc_data;
 	struct avc_response_frame *r = (void *)fdtv->avc_data;
-	int pos, ret;
+	int pos, length, ret;
 
 	mutex_lock(&fdtv->avc_mutex);
 
@@ -995,12 +995,18 @@ int avc_ca_app_info(struct firedtv *fdtv, unsigned char *app_info,
 	/* FIXME: check response code and validate response data */
 
 	pos = get_ca_object_pos(r);
+	length = r->operand[pos + 4];
+	/* 5 header bytes then 5 + length bytes are written to app_info */
+	if (5 + 5 + length > 256) {
+		ret = -EINVAL;
+		goto out;
+	}
 	app_info[0] = (EN50221_TAG_APP_INFO >> 16) & 0xff;
 	app_info[1] = (EN50221_TAG_APP_INFO >>  8) & 0xff;
 	app_info[2] = (EN50221_TAG_APP_INFO >>  0) & 0xff;
-	app_info[3] = 6 + r->operand[pos + 4];
+	app_info[3] = 6 + length;
 	app_info[4] = 0x01;
-	memcpy(&app_info[5], &r->operand[pos], 5 + r->operand[pos + 4]);
+	memcpy(&app_info[5], &r->operand[pos], 5 + length);
 	*len = app_info[3] + 4;
 out:
 	mutex_unlock(&fdtv->avc_mutex);
-- 
2.34.1


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-07-01  8:28 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-07-01  8:28 [PATCH] media: firedtv: bound the CA reply length in avc_ca_app_info Maoyi Xie

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox