| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAO9qdTHJ9GrbqjtMKzgDhy+bvEmDc+Sn3VosYxuq5hJ9Z20-bA@mail.gmail.com>
Date: Thu, 4 Sep 2025 20:07:44 +0900
From: Jeongjun Park <aha310510@...il.com>
To: Hans Verkuil <hverkuil+cisco@...nel.org>
Cc: mchehab@...nel.org, hverkuil@...all.nl, zhang_shurong@...mail.com,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: az6007: fix out-of-bounds in az6007_i2c_xfer()
Hi Hans,
Hans Verkuil <hverkuil+cisco@...nel.org> wrote:
>
> Hi Jeongjun,
>
> On 21/04/2025 12:55, Jeongjun Park wrote:
> > According to the previous commit 1047f9343011 ("media: az6007:
> > Fix null-ptr-deref in az6007_i2c_xfer()"), msgs[i].len is user-controlled.
>
> Does this relate to syzbot reports? If so, please add a reference to that.
>
> As far as I can tell, you can get here only through /dev/i2c-X devices.
>
Sorry, I seem to have forgotten to include the reported-by tag when
sending the email. I'll add it in the next patch.
> >
> > In the previous commit, bounds checking was added because a null-ptr-deref
> > bug occurs when msgs[i].buf and msgs[i].len are set to null. However, this
> > leads to an out-of-bounds vuln for st->data when msgs[i].len is set to a
> > large value.
> >
> > Therefore, code to check the maximum value of msgs[i].len needs to be added.
> >
> > Fixes: 1047f9343011 ("media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()")
> > Signed-off-by: Jeongjun Park <aha310510@...il.com>
> > ---
> > drivers/media/usb/dvb-usb-v2/az6007.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
> > index 65ef045b74ca..fba1b6c08dc7 100644
> > --- a/drivers/media/usb/dvb-usb-v2/az6007.c
> > +++ b/drivers/media/usb/dvb-usb-v2/az6007.c
> > @@ -788,7 +788,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
> > if (az6007_xfer_debug)
> > printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
> > addr, msgs[i].len);
> > - if (msgs[i].len < 1) {
> > + if (msgs[i].len < 1 || msgs[i].len + 1 > sizeof(st->data)) {
> > ret = -EIO;
> > goto err;
> > }
> > @@ -806,7 +806,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
> > if (az6007_xfer_debug)
> > printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
> > addr, msgs[i].len);
> > - if (msgs[i].len < 1) {
> > + if (msgs[i].len < 1 || msgs[i].len + 5 > sizeof(st->data)) {
> > ret = -EIO;
> > goto err;
> > }
>
> I feel uncomfortable about this patch and similar patches that attempt to address this
> in various other drivers as well.
>
> It's all rather ad-hoc. E.g. you fix the two places here, but not the case at line 778.
>
> I think the proper fix would be to modify __az6007_read/write and add an argument with the
> size of the buffer, then let that function do the check. Rather than manually doing this
> check at every call of those functions. Same for similar drivers.
>
> The approach taken in this patch is too fragile.
>
You're right. Looking at it again, it seems more appropriate to fix
__az6007_read/write.
https://lore.kernel.org/all/20250421125244.85640-1-aha310510@gmail.com/
I remember patching vulnerabilities I found in other drivers using the
method Hans suggested. Is this the correct way to patch them?
> Regards,
>
> Hans
>
>
> > --
> >
>
Regards,
Jeongjun Park
Powered by blists - more mailing lists