lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <45bd327d-7ab7-464b-b125-684a24bedf35@arnaud-lcm.com>
Date: Mon, 21 Apr 2025 17:11:38 +0200
From: Arnaud Lecomte <contact@...aud-lcm.com>
To: Edward Adam Davis <eadavis@...com>,
 syzbot+0192952caa411a3be209@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
 mchehab@...nel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] media: az6007: Add upper bound check to the data of
 device state

Hi Edward,
As I am currently trying over there: 
https://syzkaller.appspot.com/text?tag=Patch&x=10f3ac70580000, I think 
we also have a race condition related to the disconnection of the usb 
device.
What do you think ?

Arnaud

On 21/04/2025 16:31, Edward Adam Davis wrote:
> syzbot report a corrupted list in az6007_i2c_xfer. [1]
>
> Before accessing the member data of the struct az6007_device_state, only
> the lower boundary of data is checked, but the upper boundary is not checked.
> When the value of msgs[i].len is damaged or too large, it will cause out
> of bounds access to st->data.
>
> [1]
> UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30
> index 4096 is out of range for type 'unsigned char [4096]'
> CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full)
> Call Trace:
>   <TASK>
>   az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821
>   i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343
>   i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155
>   do_loop_readv_writev fs/read_write.c:833 [inline]
>   do_preadv+0x1af/0x270 fs/read_write.c:1130
>   do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
>
> Reported-by: syzbot+0192952caa411a3be209@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
> Signed-off-by: Edward Adam Davis <eadavis@...com>
> ---
>   drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
> index 65ef045b74ca..6322894eda27 100644
> --- a/drivers/media/usb/dvb-usb-v2/az6007.c
> +++ b/drivers/media/usb/dvb-usb-v2/az6007.c
> @@ -806,7 +806,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
>   			if (az6007_xfer_debug)
>   				printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
>   				       addr, msgs[i].len);
> -			if (msgs[i].len < 1) {
> +			if (msgs[i].len < 1 ||
> +			    msgs[i].len > ARRAY_SIZE(st->data) - 5) {
>   				ret = -EIO;
>   				goto err;
>   			}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ