Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a4151326 authored by Jia-Ju Bai's avatar Jia-Ju Bai Committed by Greg Kroah-Hartman
Browse files

media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() 



[ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ]

The value av7110->debi_virt is stored in DMA memory, and it is assigned
to data, and thus data[0] can be modified at any time by malicious
hardware. In this case, "if (data[0] < 2)" can be passed, but then
data[0] can be changed into a large number, which may cause buffer
overflow when the code "av7110->ci_slot[data[0]]" is used.

To fix this possible bug, data[0] is assigned to a local variable, which
replaces the use of data[0].

Signed-off-by: default avatarJia-Ju Bai <baijiaju@tsinghua.edu.cn>
Signed-off-by: default avatarSean Young <sean@mess.org>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 203bedf3
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment