lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250421-ubsan-out-of-sub-v1-1-d9239a5af007@arnaud-lcm.com>
Date: Mon, 21 Apr 2025 18:33:01 +0200
From: Arnaud Lecomte <contact@...aud-lcm.com>
To: Mauro Carvalho Chehab <mchehab@...nel.org>
Cc: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
 syzbot+0192952caa411a3be209@...kaller.appspotmail.com,
 contact@...aud-lcm.com, skhan@...uxfoundation.org
Subject: [PATCH 1/2] media: dvb-usbv2: add bound checking for messages
 length in i2c_xfer

I2C messages should not be longer than a couple of hundred bytes.
However, despite this very unlikely scenario, it can happen and in this
case, this could lead to a buffer overflow in i2c_xfer.

Signed-off-by: Arnaud Lecomte <contact@...aud-lcm.com>
---
 drivers/media/usb/dvb-usb-v2/az6007.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..e8ee18010346 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -757,6 +757,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 
 	for (i = 0; i < num; i++) {
 		addr = msgs[i].addr << 1;
+		if (msgs[i].len < 1 || msgs[i].len >= sizeof(st->data) - 6) {
+			ret = -EIO;
+			goto err;
+		}
 		if (((i + 1) < num)
 		    && (msgs[i].len == 1)
 		    && ((msgs[i].flags & I2C_M_RD) != I2C_M_RD)
@@ -788,10 +792,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 			if (az6007_xfer_debug)
 				printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
 				       addr, msgs[i].len);
-			if (msgs[i].len < 1) {
-				ret = -EIO;
-				goto err;
-			}
 			req = AZ6007_I2C_WR;
 			index = msgs[i].buf[0];
 			value = addr | (1 << 8);
@@ -806,10 +806,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 			if (az6007_xfer_debug)
 				printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
 				       addr, msgs[i].len);
-			if (msgs[i].len < 1) {
-				ret = -EIO;
-				goto err;
-			}
 			req = AZ6007_I2C_RD;
 			index = msgs[i].buf[0];
 			value = addr;
@@ -825,7 +821,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 	}
 err:
 	mutex_unlock(&st->mutex);
-
 	if (ret < 0) {
 		pr_info("%s ERROR: %i\n", __func__, ret);
 		return ret;

-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ