Commit 006cd3f1 authored Jan 06, 2025 by Hans Verkuil Committed by Cai Xinchen Jan 06, 2025

media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE

stable inclusion
from stable-v4.19.265
commit a2728bf9b6c65e46468c763e3dab7e04839d4e11
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBFBZR
CVE: CVE-2022-49035

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a2728bf9b6c65e46468c763e3dab7e04839d4e11



--------------------------------

[ Upstream commit 93f65ce0 ]

I expect that the hardware will have limited this to 16, but just in
case it hasn't, check for this corner case.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>

parent 21eb7b92

drivers/media/platform/s5p-cec/s5p_cec.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -116,6 +116,8 @@ static irqreturn_t s5p_cec_irq_handler(int irq, void *priv)
		dev_dbg(cec->dev, "Buffer overrun (worker did not process previous message)\n");
		cec->rx = STATE_BUSY;
		cec->msg.len = status >> 24;
		if (cec->msg.len > CEC_MAX_MSG_SIZE)
		cec->msg.len = CEC_MAX_MSG_SIZE;
		cec->msg.rx_status = CEC_RX_STATUS_OK;
		s5p_cec_get_rx_buf(cec, cec->msg.len,
		cec->msg.msg);