linux/drivers/media/video
Mauro Carvalho Chehab 01a1a3cc1e V4L/DVB (9624): CVE-2008-5033: fix OOPS on tvaudio when controlling bass/treble
This bug were supposed to be fixed by 5ba2f67afb,
where a call to NULL happens.

Not all tvaudio chips allow controlling bass/treble. So, the driver
has a table with a flag to indicate if the chip does support it.

Unfortunately, the handling of this logic were broken for a very long
time (probably since the first module version). Due to that, an OOPS
were generated for devices that don't support bass/treble.

This were the resulting OOPS message before the patch, with debug messages
enabled:

tvaudio' 1-005b: VIDIOC_S_CTRL
BUG: unable to handle kernel NULL pointer dereference at 00000000
IP: [<00000000>]
*pde = 22fda067 *pte = 00000000
Oops: 0000 [#1] SMP
Modules linked in: snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device
snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_hwdep snd soundcore tuner_simple tuner_types tea5767 tuner
tvaudio bttv bridgebnep rfcomm l2cap bluetooth it87 hwmon_vid hwmon fuse sunrpc ipt_REJECT
nf_conntrack_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 xt_state nf_conntrack
ip6table_filter ip6_tables x_tables ipv6 dm_mirrordm_multipath dm_mod configfs videodev v4l1_compat
ir_common 8139cp compat_ioctl32 v4l2_common 8139too videobuf_dma_sg videobuf_core mii btcx_risc tveeprom
i915 button snd_page_alloc serio_raw drm pcspkr i2c_algo_bit i2c_i801 i2c_core iTCO_wdt
iTCO_vendor_support sr_mod cdrom sg ata_generic pata_acpi ata_piix libata sd_mod scsi_mod ext3 jbdmbcache
uhci_hcd ohci_hcd ehci_hcd [last unloaded: soundcore]

Pid: 15413, comm: qv4l2 Not tainted (2.6.25.14-108.fc9.i686 #1)
EIP: 0060:[<00000000>] EFLAGS: 00210246 CPU: 0
EIP is at 0x0
EAX: 00008000 EBX: ebd21600 ECX: e2fd9ec4 EDX: 00200046
ESI: f8c0f0c4 EDI: f8c0f0c4 EBP: e2fd9d50 ESP: e2fd9d2c
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process qv4l2 (pid: 15413, ti=e2fd9000 task=ebe44000 task.ti=e2fd9000)
Stack: f8c0c6ae e2ff2a00 00000d00 e2fd9ec4 ebc4e000 e2fd9d5c f8c0c448 00000000
       f899c12a e2fd9d5c f899c154 e2fd9d68 e2fd9d80 c0560185 e2fd9d88 f8f3e1d8
       f8f3e1dc ebc4e034 f8f3e18c e2fd9ec4 00000000 e2fd9d90 f899c286 c008561c
Call Trace:
 [<f8c0c6ae>] ? chip_command+0x266/0x4b6 [tvaudio]
 [<f8c0c448>] ? chip_command+0x0/0x4b6 [tvaudio]
 [<f899c12a>] ? i2c_cmd+0x0/0x2f [i2c_core]
 [<f899c154>] ? i2c_cmd+0x2a/0x2f [i2c_core]
 [<c0560185>] ? device_for_each_child+0x21/0x49
 [<f899c286>] ? i2c_clients_command+0x1c/0x1e [i2c_core]
 [<f8f283d8>] ? bttv_call_i2c_clients+0x14/0x16 [bttv]
 [<f8f23601>] ? bttv_s_ctrl+0x1bc/0x313 [bttv]
 [<f8f23445>] ? bttv_s_ctrl+0x0/0x313 [bttv]
 [<f8b6096d>] ? __video_do_ioctl+0x1f84/0x3726 [videodev]
 [<c05abb4e>] ? sock_aio_write+0x100/0x10d
 [<c041b23e>] ? kmap_atomic_prot+0x1dd/0x1df
 [<c043a0c9>] ? enqueue_hrtimer+0xc2/0xcd
 [<c04f4fa4>] ? copy_from_user+0x39/0x121
 [<f8b622b9>] ? __video_ioctl2+0x1aa/0x24a [videodev]
 [<c04054fd>] ? do_notify_resume+0x768/0x795
 [<c043c0f7>] ? getnstimeofday+0x34/0xd1
 [<c0437b77>] ? autoremove_wake_function+0x0/0x33
 [<f8b62368>] ? video_ioctl2+0xf/0x13 [videodev]
 [<c048c6f0>] ? vfs_ioctl+0x50/0x69
 [<c048c942>] ? do_vfs_ioctl+0x239/0x24c
 [<c048c995>] ? sys_ioctl+0x40/0x5b
 [<c0405bf2>] ? syscall_call+0x7/0xb
 [<c0620000>] ? cpuid4_cache_sysfs_exit+0x3d/0x69
 =======================
Code:  Bad EIP value.
EIP: [<00000000>] 0x0 SS:ESP 0068:e2fd9d2c

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2008-11-14 14:39:47 -02:00
..
au0828 V4L/DVB (9252): au0828: Checkpatch compliance 2008-10-17 17:27:26 -03:00
bt8xx V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
cpia2 V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
cx18 V4L/DVB (9516): cx18: Move DVB buffer transfer handling from irq handler to work_queue 2008-11-11 08:11:33 -02:00
cx88 V4L/DVB (9499): cx88-mpeg: final fix for analogue only compilation + de-alloc fix 2008-11-11 08:11:27 -02:00
cx23885 V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
cx25840 V4L/DVB (9162): ivtv: fix raw/sliced VBI mixup 2008-10-13 09:08:01 -02:00
em28xx V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
et61x251 V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
gspca V4L/DVB (9557): gspca: Small changes for the sensor HV7131B in zc3xx. 2008-11-11 08:11:32 -02:00
ivtv V4L/DVB (9506): ivtv/cx18: fix test whether modules should be loaded or not. 2008-11-11 08:11:28 -02:00
ovcamchip V4L/DVB (8906): v4l-dvb: fix assorted sparse warnings 2008-10-12 09:36:58 -02:00
pvrusb2 V4L/DVB (9330): Get rid of inode parameter at v4l_compat_translate_ioctl() 2008-10-21 14:31:45 -02:00
pwc V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
saa7134 V4L/DVB (9356): [PATCH] saa7134: fix resource map sanity check conflict 2008-11-11 08:11:21 -02:00
sn9c102 V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
usbvideo V4L/DVB (9351): ibmcam: Fix a regression caused by a482f327ff 2008-11-11 08:11:19 -02:00
usbvision V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
uvc V4L/DVB (9330): Get rid of inode parameter at v4l_compat_translate_ioctl() 2008-10-21 14:31:45 -02:00
zc0301 V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
zoran V4L/DVB (9234): zoran: Drop redundant printk 2008-10-17 17:24:49 -03:00
adv7170.c V4L/DVB (9198): adv7170: convert i2c driver for new i2c API 2008-10-17 17:15:58 -03:00
adv7175.c V4L/DVB (9199): adv7175: convert i2c driver for new i2c API 2008-10-17 17:16:08 -03:00
arv.c V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
bt819.c V4L/DVB (9200): bt819: convert i2c driver for new i2c API 2008-10-17 17:17:20 -03:00
bt856.c V4L/DVB (9201): bt856: convert i2c driver for new i2c API 2008-10-17 17:17:30 -03:00
bt866.c V4L/DVB (9202): bt866: convert i2c driver for new i2c API 2008-10-17 17:17:36 -03:00
btcx-risc.c V4L/DVB (8745): v4l2: fix a bunch of compile warnings. 2008-10-12 09:36:52 -02:00
btcx-risc.h V4L/DVB (8757): v4l-dvb: fix a bunch of sparse warnings 2008-09-03 18:37:13 -03:00
bw-qcam.c V4L/DVB (8783): v4l: add all missing video_device release callbacks 2008-10-12 09:36:54 -02:00
bw-qcam.h V4L/DVB (8780): v4l: replace the last uses of video_exclusive_open/release 2008-10-12 09:36:53 -02:00
c-qcam.c V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
cafe_ccic-regs.h
cafe_ccic.c V4L/DVB (9355): de-BKL cafe_ccic.c 2008-11-11 08:11:20 -02:00
compat_ioctl32.c V4L/DVB (9352): Add some missing compat32 ioctls 2008-11-11 08:11:20 -02:00
cpia_pp.c
cpia_usb.c
cpia.c V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
cpia.h V4L/DVB (8430): videodev: move some functions from v4l2-dev.h to v4l2-common.h or v4l2-ioctl.h 2008-07-23 19:00:17 -03:00
cs53l32a.c Remove newline from the description of module parameters 2008-08-01 12:46:41 -07:00
cs5345.c Remove newline from the description of module parameters 2008-08-01 12:46:41 -07:00
cs8420.h
cx2341x.c V4L/DVB (8634): v4l2: extend MPEG Encoding API with AVC and AAC 2008-10-12 09:36:47 -02:00
dabusb.c USB: remove warn() macro from usb media drivers 2008-10-17 14:41:08 -07:00
dabusb.h
font.h
hexium_gemini.c
hexium_orion.c
ibmmpeg2.h
indycam.c
indycam.h
ir-kbd-i2c.c V4L/DVB (9168): Add support for MSI TV@nywhere Plus remote 2008-10-13 09:57:34 -02:00
Kconfig V4L/DVB (9129): zoran: move zoran sources into a zoran subdirectory 2008-10-12 09:39:04 -02:00
ks0127.c V4L/DVB (9203): ks0127: convert i2c driver for new i2c API 2008-10-17 17:17:40 -03:00
ks0127.h
m52790.c V4L/DVB (8487): videodev: replace videodev.h includes by videodev2.h where possible 2008-07-26 13:11:36 -03:00
Makefile V4L/DVB (9129): zoran: move zoran sources into a zoran subdirectory 2008-10-12 09:39:04 -02:00
meye.c V4L/DVB (8780): v4l: replace the last uses of video_exclusive_open/release 2008-10-12 09:36:53 -02:00
meye.h V4L/DVB (8780): v4l: replace the last uses of video_exclusive_open/release 2008-10-12 09:36:53 -02:00
msp3400-driver.c V4L/DVB (8487): videodev: replace videodev.h includes by videodev2.h where possible 2008-07-26 13:11:36 -03:00
msp3400-driver.h
msp3400-kthreads.c V4L/DVB (8487): videodev: replace videodev.h includes by videodev2.h where possible 2008-07-26 13:11:36 -03:00
mt9m001.c V4L/DVB (8687): soc-camera: Move .power and .reset from soc_camera host to sensor driver 2008-10-12 09:36:50 -02:00
mt9m111.c V4L/DVB (8800): [v4l-dvb-maintainer] [PATCH] v4l: mt9m111.c make function static 2008-10-12 09:36:55 -02:00
mt9v022.c V4L/DVB (8687): soc-camera: Move .power and .reset from soc_camera host to sensor driver 2008-10-12 09:36:50 -02:00
mxb.c V4L/DVB (8945): mxb: use unique i2c adapter name 2008-10-12 09:37:00 -02:00
mxb.h
ov511.c USB: remove warn() macro from usb media drivers 2008-10-17 14:41:08 -07:00
ov511.h V4L/DVB (9116): USB: remove info() macro from usb media drivers 2008-10-12 09:37:14 -02:00
ov7670.c V4L/DVB (8381): ov7670: fix compile warnings 2008-07-20 07:28:27 -03:00
pms.c V4L/DVB (8783): v4l: add all missing video_device release callbacks 2008-10-12 09:36:54 -02:00
pxa_camera.c V4L/DVB: pxa-camera: Unsigned dma_chans[] cannot be negative 2008-10-12 09:37:02 -02:00
s2255drv.c V4L/DVB (8906): v4l-dvb: fix assorted sparse warnings 2008-10-12 09:36:58 -02:00
saa711x_regs.h
saa717x.c V4L/DVB (8487): videodev: replace videodev.h includes by videodev2.h where possible 2008-07-26 13:11:36 -03:00
saa5246a.c V4L/DVB (8943): saa5246a: convert i2c driver for new i2c API 2008-10-12 09:37:00 -02:00
saa5249.c V4L/DVB (9159): saa5249: fix compile errors 2008-10-13 09:07:50 -02:00
saa6588.c
saa7110.c V4L/DVB (9372): Minor fixes to the saa7110 driver 2008-11-11 08:11:23 -02:00
saa7111.c V4L/DVB (9205): saa7111: convert i2c driver for new i2c API 2008-10-17 17:17:52 -03:00
saa7114.c V4L/DVB (9206): saa7114: convert i2c driver for new i2c API 2008-10-17 17:19:41 -03:00
saa7115.c V4L/DVB (9162): ivtv: fix raw/sliced VBI mixup 2008-10-13 09:08:01 -02:00
saa7121.h
saa7127.c V4L/DVB (9240): saa7127: Fix two typos 2008-10-17 17:25:11 -03:00
saa7146.h
saa7146reg.h
saa7185.c V4L/DVB (9207): saa7185: convert i2c driver for new i2c API 2008-10-17 17:20:01 -03:00
saa7191.c
saa7191.h
se401.c V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
se401.h V4L/DVB (8430): videodev: move some functions from v4l2-dev.h to v4l2-common.h or v4l2-ioctl.h 2008-07-23 19:00:17 -03:00
sh_mobile_ceu_camera.c V4L/DVB (9244): video: improve sh_mobile_ceu buffer handling 2008-10-17 17:26:10 -03:00
soc_camera_platform.c V4L/DVB (9241): soc-camera: move sensor power management to soc_camera_platform.c 2008-10-17 17:25:29 -03:00
soc_camera.c V4L/DVB (8610): Add suspend/resume capabilities to soc_camera. 2008-08-06 06:57:32 -03:00
stk-sensor.c
stk-webcam.c V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
stk-webcam.h V4L/DVB (9193): stk-webcam: minor cleanup 2008-10-17 17:14:57 -03:00
stradis.c V4L/DVB (8783): v4l: add all missing video_device release callbacks 2008-10-12 09:36:54 -02:00
stv680.c V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
stv680.h
tcm825x.c
tcm825x.h
tda7432.c V4L/DVB (8487): videodev: replace videodev.h includes by videodev2.h where possible 2008-07-26 13:11:36 -03:00
tda9840.c V4L/DVB (9033): drivers/media/video/tda9840.c: unbreak 2008-10-12 09:37:08 -02:00
tda9840.h V4L/DVB (8941): mxb/tda9840: cleanups, use module saa7115 instead of saa7111. 2008-10-12 09:37:00 -02:00
tda9875.c V4L/DVB (8487): videodev: replace videodev.h includes by videodev2.h where possible 2008-07-26 13:11:36 -03:00
tea6415c.c V4L/DVB (8630): First mxb cleanup phase 2008-10-12 09:36:47 -02:00
tea6415c.h
tea6420.c V4L/DVB (8630): First mxb cleanup phase 2008-10-12 09:36:47 -02:00
tea6420.h
tlv320aic23b.c V4L/DVB (8487): videodev: replace videodev.h includes by videodev2.h where possible 2008-07-26 13:11:36 -03:00
tuner-core.c V4L/DVB (9049): convert tuner drivers to use dvb_frontend->callback 2008-10-12 09:37:09 -02:00
tvaudio.c V4L/DVB (9624): CVE-2008-5033: fix OOPS on tvaudio when controlling bass/treble 2008-11-14 14:39:47 -02:00
tveeprom.c V4L/DVB (9268): tuner: add FMD1216MEX tuner 2008-10-17 17:29:09 -03:00
tvp5150_reg.h
tvp5150.c V4L/DVB (8487): videodev: replace videodev.h includes by videodev2.h where possible 2008-07-26 13:11:36 -03:00
upd64031a.c
upd64083.c
v4l1-compat.c V4L/DVB (9330): Get rid of inode parameter at v4l_compat_translate_ioctl() 2008-10-21 14:31:45 -02:00
v4l2-common.c remove CONFIG_KMOD from drivers 2008-10-17 02:38:35 +11:00
v4l2-dev.c V4L/DVB (9133): v4l: disconnect kernel number from minor 2008-10-12 09:37:16 -02:00
v4l2-int-device.c V4L/DVB (9322): v4l2-int-if: Export more interfaces to modules 2008-10-21 14:31:20 -02:00
v4l2-ioctl.c V4L/DVB (9331): Remove unused inode parameter from video_ioctl2 2008-10-21 14:31:49 -02:00
videobuf-core.c PAGE_ALIGN(): correctly handle 64-bit values on 32-bit architectures 2008-07-24 10:47:21 -07:00
videobuf-dma-contig.c V4L/DVB (8425): v4l: fix checkpatch errors introduced by recent commits 2008-07-23 08:09:21 -03:00
videobuf-dma-sg.c
videobuf-dvb.c V4L/DVB (9335): videobuf: split unregister bus creating self-contained frontend de-allocator 2008-10-21 14:32:08 -02:00
videobuf-vmalloc.c V4L/DVB (8525): fix a few assorted spelling mistakes. 2008-07-27 11:07:13 -03:00
vino.c remove CONFIG_KMOD from drivers 2008-10-17 02:38:35 +11:00
vino.h
vivi.c V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
vp27smpx.c V4L/DVB (8487): videodev: replace videodev.h includes by videodev2.h where possible 2008-07-26 13:11:36 -03:00
vpx3220.c V4L/DVB (9208): vpx3220: convert i2c driver for new i2c API 2008-10-17 17:20:13 -03:00
w9966.c V4L/DVB (8788): v4l: replace video_get_drvdata(video_devdata(filp)) with video_drvdata(filp) 2008-10-12 09:36:54 -02:00
w9968cf_decoder.h
w9968cf_vpp.h
w9968cf.c V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00
w9968cf.h V4L/DVB (8487): videodev: replace videodev.h includes by videodev2.h where possible 2008-07-26 13:11:36 -03:00
wm8739.c V4L/DVB (8789): wm8739: remove wrong kfree 2008-09-10 23:18:32 -03:00
wm8775.c V4L/DVB (8487): videodev: replace videodev.h includes by videodev2.h where possible 2008-07-26 13:11:36 -03:00
zr364xx.c V4L/DVB (9327): v4l: use video_device.num instead of minor in video%d 2008-10-21 14:31:37 -02:00