lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20250616020835.791693-1-alexguo1023@gmail.com>
Date: Sun, 15 Jun 2025 22:08:35 -0400
From: Alex Guo <alexguo1023@...il.com>
To: mchehab@...nel.org
Cc: alexguo1023@...il.com,
	hverkuil@...all.nl,
	linux-media@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: [PATCH] media: dvb-frontends: w7090p: fix null-ptr-deref in zd1301_demod_i2c_master_xfer

In zd1301_demod_i2c_master_xfer, msg is controlled by user. When
msg[0].buf is null and msg[0].len is zero, former checks on
msg[0].buf would be passed. If accessing msg[0].buf[0] without
sanity check, null pointer deref would happen. We add
check on msg[0].len to prevent crash.

Similar commit: commit 0ed554fd769a ("media: dvb-usb:
az6027: fix null-ptr-deref in az6027_i2c_xfer()")

Signed-off-by: Alex Guo <alexguo1023@...il.com>
---
 drivers/media/dvb-frontends/zd1301_demod.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/dvb-frontends/zd1301_demod.c b/drivers/media/dvb-frontends/zd1301_demod.c
index e8b9e67a8717..ebc10f96438e 100644
--- a/drivers/media/dvb-frontends/zd1301_demod.c
+++ b/drivers/media/dvb-frontends/zd1301_demod.c
@@ -325,7 +325,7 @@ static int zd1301_demod_i2c_master_xfer(struct i2c_adapter *adapter,
 	if (ZD1301_IS_I2C_XFER_WRITE_READ(msg, num)) {
 		dev_dbg(&pdev->dev, "write&read msg[0].len=%u msg[1].len=%u\n",
 			msg[0].len, msg[1].len);
-		if (msg[0].len > 1 || msg[1].len > 8) {
+		if (msg[0].len != 1 || msg[1].len > 8) {
 			ret = -EOPNOTSUPP;
 			goto err;
 		}
@@ -372,7 +372,7 @@ static int zd1301_demod_i2c_master_xfer(struct i2c_adapter *adapter,
 		}
 	} else if (ZD1301_IS_I2C_XFER_WRITE(msg, num)) {
 		dev_dbg(&pdev->dev, "write msg[0].len=%u\n", msg[0].len);
-		if (msg[0].len > 1 + 8) {
+		if (msg[0].len > 1 + 8 || msg[0].len < 1) {
 			ret = -EOPNOTSUPP;
 			goto err;
 		}
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ