lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue,  3 Dec 2019 07:41:38 +0700
From:   Phong Tran <tranmanphong@...il.com>
To:     mchehab@...nel.org, gregkh@...uxfoundation.org,
        allison@...utok.net, tglx@...utronix.de,
        syzbot+6bf9606ee955b646c0e1@...kaller.appspotmail.com
Cc:     linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
        glider@...gle.com, syzkaller-bugs@...glegroups.com,
        Phong Tran <tranmanphong@...il.com>
Subject: [PATCH] media: dvb: check return value digitv_ctrl_msg

For fixing syzbot "KMSAN: uninit-value in digitv_rc_query"

In scenario testing for syzbot, failure reading from
digitv_ctrl_msg() [1].

Eg:
[   91.846657][ T3844] dvb-usb: bulk message failed: -22 (7/0)

digitv_rc_query() always return 0. But in this case a wrong thing happens.

Reported-by: syzbot+6bf9606ee955b646c0e1@...kaller.appspotmail.com
Tested-by: syzbot+6bf9606ee955b646c0e1@...kaller.appspotmail.com

[1]: https://syzkaller.appspot.com/text?tag=CrashLog&x=16860a63600000
[2]: https://groups.google.com/d/msg/syzkaller-bugs/-TXIJAZ0J9Q/T4PEUQoeAQAJ

Signed-off-by: Phong Tran <tranmanphong@...il.com>
---
 drivers/media/usb/dvb-usb/digitv.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c
index dd5bb230cec1..61bc8945e6b9 100644
--- a/drivers/media/usb/dvb-usb/digitv.c
+++ b/drivers/media/usb/dvb-usb/digitv.c
@@ -231,17 +231,21 @@ static struct rc_map_table rc_map_digitv_table[] = {
 static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
 {
 	int i;
-	u8 key[5];
+	u8 key[5] = { 0 };
 	u8 b[4] = { 0 };
+	int ret;
 
 	*event = 0;
 	*state = REMOTE_NO_KEY_PRESSED;
 
-	digitv_ctrl_msg(d,USB_READ_REMOTE,0,NULL,0,&key[1],4);
-
+	ret = digitv_ctrl_msg(d, USB_READ_REMOTE, 0, NULL, 0, &key[1], 4);
+	if (ret < 0)
+		return ret;
 	/* Tell the device we've read the remote. Not sure how necessary
 	   this is, but the Nebula SDK does it. */
-	digitv_ctrl_msg(d,USB_WRITE_REMOTE,0,b,4,NULL,0);
+	ret = digitv_ctrl_msg(d, USB_WRITE_REMOTE, 0, b, 4, NULL, 0);
+	if (ret < 0)
+		return ret;
 
 	/* if something is inside the buffer, simulate key press */
 	if (key[1] != 0)
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ