Commit 1e58f42b authored Oct 24, 2024 by Junlin Li Committed by Yi Yang Oct 24, 2024

drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error

stable inclusion
from stable-v6.6.54
commit 527ab3eb3b0b4a6ee00e183c1de6a730239e2835
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPJY
CVE: CVE-2024-47698

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=527ab3eb3b0b4a6ee00e183c1de6a730239e2835



--------------------------------

[ Upstream commit 8ae06f360cfaca2b88b98ca89144548b3186aab1 ]

Ensure index in rtl2832_pid_filter does not exceed 31 to prevent
out-of-bounds access.

dev->filters is a 32-bit value, so set_bit and clear_bit functions should
only operate on indices from 0 to 31. If index is 32, it will attempt to
access a non-existent 33rd bit, leading to out-of-bounds access.
Change the boundary check from index > 32 to index >= 32 to resolve this
issue.

Signed-off-by: Junlin Li <make24@iscas.ac.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: 4b01e01a ("[media] rtl2832: implement PID filter")
[hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yi Yang <yiyang13@huawei.com>

parent ed7fbeaf

drivers/media/dvb-frontends/rtl2832.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -983,7 +983,7 @@ static int rtl2832_pid_filter(struct dvb_frontend *fe, u8 index, u16 pid,
		index, pid, onoff, dev->slave_ts);

		/* skip invalid PIDs (0x2000) */
		if (pid > 0x1fff \|\| index > 32)
		if (pid > 0x1fff \|\| index >= 32)
		return 0;

		if (onoff)