| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250902232819.2415335-1-i.abramov@mt-integration.ru>
Date: Wed, 3 Sep 2025 02:28:14 +0300
From: Ivan Abramov <i.abramov@...integration.ru>
To: Mauro Carvalho Chehab <mchehab@...nel.org>
CC: Ivan Abramov <i.abramov@...integration.ru>, Hans Verkuil
<hverkuil@...nel.org>, <linux-media@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <lvc-project@...uxtesting.org>
Subject: [PATCH 1/1] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread()
It's possible for max1 to remain -1 if msp_read() always fail. This variable is
further used as index for accessing arrays.
Fix that by checking max1 prior to array accesses.
It seems that restart is the preferable action in case of out-of-bounds value.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 8a4b275f9c19 ("V4L/DVB (3427): audmode and rxsubchans fixes (VIDIOC_G/S_TUNER)")
Signed-off-by: Ivan Abramov <i.abramov@...integration.ru>
---
drivers/media/i2c/msp3400-kthreads.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/i2c/msp3400-kthreads.c b/drivers/media/i2c/msp3400-kthreads.c
index ecabc0e1d32e..1d9f41dd7c21 100644
--- a/drivers/media/i2c/msp3400-kthreads.c
+++ b/drivers/media/i2c/msp3400-kthreads.c
@@ -596,6 +596,8 @@ int msp3400c_thread(void *data)
"carrier2 val: %5d / %s\n", val, cd[i].name);
}
+ if (max1 < 0 || max1 > 3)
+ goto restart;
/* program the msp3400 according to the results */
state->main = msp3400c_carrier_detect_main[max1].cdo;
switch (max1) {
--
2.43.0
Powered by blists - more mailing lists