media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
authorMalcolm Priestley <tvboxspy@gmail.com>
Tue, 26 Sep 2017 21:10:20 +0000 (17:10 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 16 Feb 2018 19:22:45 +0000 (20:22 +0100)
commit 3d932ee27e852e4904647f15b64dedca51187ad7 upstream.

Warm start has no check as whether a genuine device has
connected and proceeds to next execution path.

Check device should read 0x47 at offset of 2 on USB descriptor read
and it is the amount requested of 6 bytes.

Fix for
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access as

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/media/usb/dvb-usb-v2/lmedm04.c

index 5e320fa4a7950a3365754a9d5746d60c7d8855e0..992f2011a6ba952e97e09aba62a93cc715162b2a 100644 (file)
@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid,
 
 static int lme2510_return_status(struct dvb_usb_device *d)
 {
-       int ret = 0;
+       int ret;
        u8 *data;
 
-       data = kzalloc(10, GFP_KERNEL);
+       data = kzalloc(6, GFP_KERNEL);
        if (!data)
                return -ENOMEM;
 
-       ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
-                       0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
-       info("Firmware Status: %x (%x)", ret , data[2]);
+       ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
+                             0x06, 0x80, 0x0302, 0x00,
+                             data, 0x6, 200);
+       if (ret != 6)
+               ret = -EINVAL;
+       else
+               ret = data[2];
+
+       info("Firmware Status: %6ph", data);
 
-       ret = (ret < 0) ? -ENODEV : data[2];
        kfree(data);
        return ret;
 }
@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d)
 static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
 {
        struct lme2510_state *st = d->priv;
+       int status;
 
        usb_reset_configuration(d->udev);
 
@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
 
        st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
 
-       if (lme2510_return_status(d) == 0x44) {
+       status = lme2510_return_status(d);
+       if (status == 0x44) {
                *name = lme_firmware_switch(d, 0);
                return COLD;
        }
 
-       return 0;
+       if (status != 0x47)
+               return -EINVAL;
+
+       return WARM;
 }
 
 static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,