| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250621154749.515315-1-alexguo1023@gmail.com>
Date: Sat, 21 Jun 2025 11:47:49 -0400
From: Alex Guo <alexguo1023@...il.com>
To: mchehab@...nel.org
Cc: alexguo1023@...il.com,
hverkuil@...all.nl,
linux-media@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer
msg is controlled by user. If accessing msg.buf without sanity
check, null pointer deref would happen. Although there are some
existing checks on msg.len, they do not cover all buffer access
points. Therefore, we add an additional check on msg.len to
prevent potential crashes.
Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027:
fix null-ptr-deref in az6027_i2c_xfer()")
Signed-off-by: Alex Guo <alexguo1023@...il.com>
---
drivers/media/usb/dvb-usb/az6027.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c
index 056935d3cbd6..0c53c8508fc1 100644
--- a/drivers/media/usb/dvb-usb/az6027.c
+++ b/drivers/media/usb/dvb-usb/az6027.c
@@ -988,7 +988,7 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
/* write/read request */
if (i + 1 < num && (msg[i + 1].flags & I2C_M_RD)) {
req = 0xB9;
- if (msg[i].len < 1) {
+ if (msg[i].len < 2) {
i = -EOPNOTSUPP;
break;
}
@@ -1005,7 +1005,7 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
/* demod 16bit addr */
req = 0xBD;
- if (msg[i].len < 1) {
+ if (msg[i].len < 2) {
i = -EOPNOTSUPP;
break;
}
--
2.34.1
Powered by blists - more mailing lists