lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250421105555.34984-1-aha310510@gmail.com>
Date: Mon, 21 Apr 2025 19:55:54 +0900
From: Jeongjun Park <aha310510@...il.com>
To: mchehab@...nel.org
Cc: hverkuil@...all.nl,
	zhang_shurong@...mail.com,
	linux-media@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Jeongjun Park <aha310510@...il.com>
Subject: [PATCH] media: az6007: fix out-of-bounds in az6007_i2c_xfer()

According to the previous commit 1047f9343011 ("media: az6007: 
Fix null-ptr-deref in az6007_i2c_xfer()"), msgs[i].len is user-controlled.

In the previous commit, bounds checking was added because a null-ptr-deref 
bug occurs when msgs[i].buf and msgs[i].len are set to null. However, this 
leads to an out-of-bounds vuln for st->data when msgs[i].len is set to a 
large value.

Therefore, code to check the maximum value of msgs[i].len needs to be added.

Fixes: 1047f9343011 ("media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()")
Signed-off-by: Jeongjun Park <aha310510@...il.com>
---
 drivers/media/usb/dvb-usb-v2/az6007.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..fba1b6c08dc7 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -788,7 +788,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 			if (az6007_xfer_debug)
 				printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
 				       addr, msgs[i].len);
-			if (msgs[i].len < 1) {
+			if (msgs[i].len < 1 || msgs[i].len + 1 > sizeof(st->data)) {
 				ret = -EIO;
 				goto err;
 			}
@@ -806,7 +806,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 			if (az6007_xfer_debug)
 				printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
 				       addr, msgs[i].len);
-			if (msgs[i].len < 1) {
+			if (msgs[i].len < 1 || msgs[i].len + 5 > sizeof(st->data)) {
 				ret = -EIO;
 				goto err;
 			}
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ