diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2017-08-04 11:07:51 +0300 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@s-opensource.com> | 2017-08-09 17:35:15 +0300 |
commit | 7cc7a83394be1db510609d8d2f68c53b63a3ecff (patch) | |
tree | 2a66584f62ecd57d613031e6b188b8eb39c7f226 /drivers/media/i2c/adv7604.c | |
parent | b050d46e4a64ab0b9df9a607a6c4dc7b28e9125b (diff) | |
download | linux-7cc7a83394be1db510609d8d2f68c53b63a3ecff.tar.xz |
media: adv7604: Prevent out of bounds access
These can only be accessed with CAP_SYS_ADMIN so it's not a critical
security issue. The problem is that "page" is controlled by the user in
the ioctl(). The test to see if the bit is set in state->info->page_mask
is not sufficient because "page" can be very high and shift wrap around
to a bit which is set.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Diffstat (limited to 'drivers/media/i2c/adv7604.c')
-rw-r--r-- | drivers/media/i2c/adv7604.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c index 324d39bd68d0..f289b8aca1da 100644 --- a/drivers/media/i2c/adv7604.c +++ b/drivers/media/i2c/adv7604.c @@ -618,7 +618,7 @@ static int adv76xx_read_reg(struct v4l2_subdev *sd, unsigned int reg) unsigned int val; int err; - if (!(BIT(page) & state->info->page_mask)) + if (page >= ADV76XX_PAGE_MAX || !(BIT(page) & state->info->page_mask)) return -EINVAL; reg &= 0xff; @@ -633,7 +633,7 @@ static int adv76xx_write_reg(struct v4l2_subdev *sd, unsigned int reg, u8 val) struct adv76xx_state *state = to_state(sd); unsigned int page = reg >> 8; - if (!(BIT(page) & state->info->page_mask)) + if (page >= ADV76XX_PAGE_MAX || !(BIT(page) & state->info->page_mask)) return -EINVAL; reg &= 0xff; |