CVE-2024-38621

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: stk1160: fix bounds checking in stk1160_copy_video()<br /> <br /> The subtract in this condition is reversed. The -&gt;length is the length<br /> of the buffer. The -&gt;bytesused is how many bytes we have copied thus<br /> far. When the condition is reversed that means the result of the<br /> subtraction is always negative but since it&amp;#39;s unsigned then the result<br /> is a very high positive value. That means the overflow check is never<br /> true.<br /> <br /> Additionally, the -&gt;bytesused doesn&amp;#39;t actually work for this purpose<br /> because we&amp;#39;re not writing to "buf-&gt;mem + buf-&gt;bytesused". Instead, the<br /> math to calculate the destination where we are writing is a bit<br /> involved. You calculate the number of full lines already written,<br /> multiply by two, skip a line if necessary so that we start on an odd<br /> numbered line, and add the offset into the line.<br /> <br /> To fix this buffer overflow, just take the actual destination where we<br /> are writing, if the offset is already out of bounds print an error and<br /> return. Otherwise, write up to buf-&gt;length bytes.