| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20190702140211.28399-1-tranmanphong@gmail.com>
Date: Tue, 2 Jul 2019 21:02:11 +0700
From: Phong Tran <tranmanphong@...il.com>
To: syzbot+eaaaf38a95427be88f4b@...kaller.appspotmail.com,
andreyknvl@...gle.com, hans.verkuil@...co.com, mchehab@...nel.org,
skhan@...uxfoundation.org, gregkh@...uxfoundation.org
Cc: keescook@...omium.org, linux-kernel@...r.kernel.org,
linux-media@...r.kernel.org, linux-usb@...r.kernel.org,
syzkaller-bugs@...glegroups.com,
linux-kernel-mentees@...ts.linuxfoundation.org,
Phong Tran <tranmanphong@...il.com>
Subject: [PATCH] media: usb: technisat-usb2: fix buffer overflow
The buffer will be overflow in case of the while loop can not break.
Add the checking buffer condition in while loop for avoiding
overlooping index.
This issue was reported by syzbot
Reported-by: syzbot+eaaaf38a95427be88f4b@...kaller.appspotmail.com
Tested by:
https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ
Signed-off-by: Phong Tran <tranmanphong@...il.com>
---
drivers/media/usb/dvb-usb/technisat-usb2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
index c659e18b358b..4e0b6185666a 100644
--- a/drivers/media/usb/dvb-usb/technisat-usb2.c
+++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
@@ -655,7 +655,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
#endif
ev.pulse = 0;
- while (1) {
+ while (b != (buf + 63)) {
ev.pulse = !ev.pulse;
ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000;
ir_raw_event_store(d->rc_dev, &ev);
--
2.11.0
Powered by blists - more mailing lists