lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 20 Aug 2019 14:19:16 -0400
From:   Hui Peng <benquike@...il.com>
To:     security@...nel.org
Cc:     Hui Peng <benquike@...il.com>,
        Mathias Payer <mathias.payer@...elwelt.net>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Hans Verkuil <hans.verkuil@...co.com>,
        Kees Cook <keescook@...omium.org>, linux-media@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH] Fix an OOB access bug in technisat_usb2_get_ir

In the while loop of technisat_usb2_get_ir, it scans through
a fix-sized buffer read from the device side, the termination
condition of the loop is `*b == 0xff`. If no `0xff` byte is read
from the device side, OOB access happens.

This patch fixes the bug by adding an upper bound in the while loop.

Reported-by: Hui Peng <benquike@...il.com>
Reported-by: Mathias Payer <mathias.payer@...elwelt.net>
Signed-off-by: Hui Peng <benquike@...il.com>
---
 drivers/media/usb/dvb-usb/technisat-usb2.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
index c659e18b358b..181f5f97af45 100644
--- a/drivers/media/usb/dvb-usb/technisat-usb2.c
+++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
@@ -612,6 +612,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
 	u8 *b;
 	int ret;
 	struct ir_raw_event ev;
+	int i = 0;
 
 	buf[0] = GET_IR_DATA_VENDOR_REQUEST;
 	buf[1] = 0x08;
@@ -656,11 +657,15 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
 
 	ev.pulse = 0;
 	while (1) {
+		// only `ret` bytes are read from the device side
+		if (i >= ret)
+			break;
 		ev.pulse = !ev.pulse;
 		ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000;
 		ir_raw_event_store(d->rc_dev, &ev);
 
 		b++;
+		i++;
 		if (*b == 0xff) {
 			ev.pulse = 0;
 			ev.duration = 888888*2;
-- 
2.23.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ