[media] siano: firmware buffer is too small

As pointed by KASAN:

	BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880000038d8c
	Read of size 128 by task systemd-udevd/2536
	page:ffffea0000000800 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
	flags: 0xffff8000004000(head)
	page dumped because: kasan: bad access detected
	CPU: 1 PID: 2536 Comm: systemd-udevd Not tainted 4.5.0-rc3+ #47
	Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
	  ffff880000038d8c ffff8803b0f1f1e8 ffffffff81933901 0000000000000080
	  ffff8803b0f1f280 ffff8803b0f1f270 ffffffff815602c5 ffffffff8284cf93
	  ffffffff822ddc00 0000000000000282 0000000000000001 ffff88009c7c6000
	Call Trace:
	  [<ffffffff81933901>] dump_stack+0x85/0xc4
	  [<ffffffff815602c5>] kasan_report_error+0x525/0x550
	  [<ffffffff815606e9>] kasan_report+0x39/0x40
	  [<ffffffff8155f84d>] memcpy+0x1d/0x40
	  [<ffffffffa120cb90>] smscore_set_device_mode+0xee0/0x2560 [smsmdtv]

Such error happens at the memcpy code below:

0x4bc0 is in smscore_set_device_mode (drivers/media/common/siano/smscoreapi.c:975).
970					      sizeof(u32) + payload_size));
971
972			data_msg->mem_addr = mem_address;
973			memcpy(data_msg->payload, payload, payload_size);
974
975			rc = smscore_sendrequest_and_wait(coredev, data_msg,
976					data_msg->x_msg_header.msg_length,
977					&coredev->data_download_done);
978
979			payload += payload_size;

The problem is that the Siano driver uses a header to store the firmware,
with requires a few more bytes than allocated.

Tested with:
	PCTV 77e (2013:0257)
	Hauppauge WinTV MiniStick (2040:5510)

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

0 files changed, 0 insertions, 0 deletions