lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20250902232819.2415335-1-i.abramov@mt-integration.ru>
Date: Wed, 3 Sep 2025 02:28:14 +0300
From: Ivan Abramov <i.abramov@...integration.ru>
To: Mauro Carvalho Chehab <mchehab@...nel.org>
CC: Ivan Abramov <i.abramov@...integration.ru>, Hans Verkuil
	<hverkuil@...nel.org>, <linux-media@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>, <lvc-project@...uxtesting.org>
Subject: [PATCH 1/1] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread()

It's possible for max1 to remain -1 if msp_read() always fail. This variable is
further used as index for accessing arrays.

Fix that by checking max1 prior to array accesses. 

It seems that restart is the preferable action in case of out-of-bounds value.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 8a4b275f9c19 ("V4L/DVB (3427): audmode and rxsubchans fixes (VIDIOC_G/S_TUNER)")
Signed-off-by: Ivan Abramov <i.abramov@...integration.ru>
---
 drivers/media/i2c/msp3400-kthreads.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/media/i2c/msp3400-kthreads.c b/drivers/media/i2c/msp3400-kthreads.c
index ecabc0e1d32e..1d9f41dd7c21 100644
--- a/drivers/media/i2c/msp3400-kthreads.c
+++ b/drivers/media/i2c/msp3400-kthreads.c
@@ -596,6 +596,8 @@ int msp3400c_thread(void *data)
 				"carrier2 val: %5d / %s\n", val, cd[i].name);
 		}
 
+		if (max1 < 0 || max1 > 3)
+			goto restart;
 		/* program the msp3400 according to the results */
 		state->main = msp3400c_carrier_detect_main[max1].cdo;
 		switch (max1) {
-- 
2.43.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ