| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250905142535.4117869-1-aha310510@gmail.com>
Date: Fri, 5 Sep 2025 23:25:35 +0900
From: Jeongjun Park <aha310510@...il.com>
To: syzbot+0192952caa411a3be209@...kaller.appspotmail.com
Cc: syzkaller-bugs@...glegroups.com,
linux-kernel@...r.kernel.org,
aha310510@...il.com
Subject: Re: [syzbot] [media?] BUG: corrupted list in az6007_i2c_xfer
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
drivers/media/usb/dvb-usb-v2/az6007.c | 67 +++++++++++++++------------
1 file changed, 37 insertions(+), 30 deletions(-)
diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..34d28daf4679 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -97,13 +97,20 @@ static struct mt2063_config az6007_mt2063_config = {
.refclock = 36125000,
};
-static int __az6007_read(struct usb_device *udev, u8 req, u16 value,
+static int __az6007_read(struct dvb_usb_device *d, u8 req, u16 value,
u16 index, u8 *b, int blen)
{
+ struct az6007_device_state *st = d_to_priv(d);
int ret;
- ret = usb_control_msg(udev,
- usb_rcvctrlpipe(udev, 0),
+ if (blen > sizeof(st->data)) {
+ pr_err("az6007: tried to read %d bytes, but I2C max size is %lu bytes\n",
+ blen, sizeof(st->data));
+ return -EOPNOTSUPP;
+ }
+
+ ret = usb_control_msg(d->udev,
+ usb_rcvctrlpipe(d->udev, 0),
req,
USB_TYPE_VENDOR | USB_DIR_IN,
value, index, b, blen, 5000);
@@ -125,24 +132,31 @@ static int __az6007_read(struct usb_device *udev, u8 req, u16 value,
static int az6007_read(struct dvb_usb_device *d, u8 req, u16 value,
u16 index, u8 *b, int blen)
{
- struct az6007_device_state *st = d->priv;
+ struct az6007_device_state *st = d_to_priv(d);
int ret;
if (mutex_lock_interruptible(&st->mutex) < 0)
return -EAGAIN;
- ret = __az6007_read(d->udev, req, value, index, b, blen);
+ ret = __az6007_read(d, req, value, index, b, blen);
mutex_unlock(&st->mutex);
return ret;
}
-static int __az6007_write(struct usb_device *udev, u8 req, u16 value,
+static int __az6007_write(struct dvb_usb_device *d, u8 req, u16 value,
u16 index, u8 *b, int blen)
{
+ struct az6007_device_state *st = d_to_priv(d);
int ret;
+ if (blen > sizeof(st->data)) {
+ pr_err("az6007: tried to write %d bytes, but I2C max size is %lu bytes\n",
+ blen, sizeof(st->data));
+ return -EOPNOTSUPP;
+ }
+
if (az6007_xfer_debug) {
printk(KERN_DEBUG "az6007: OUT req: %02x, value: %04x, index: %04x\n",
req, value, index);
@@ -150,14 +164,8 @@ static int __az6007_write(struct usb_device *udev, u8 req, u16 value,
DUMP_PREFIX_NONE, b, blen);
}
- if (blen > 64) {
- pr_err("az6007: tried to write %d bytes, but I2C max size is 64 bytes\n",
- blen);
- return -EOPNOTSUPP;
- }
-
- ret = usb_control_msg(udev,
- usb_sndctrlpipe(udev, 0),
+ ret = usb_control_msg(d->udev,
+ usb_sndctrlpipe(d->udev, 0),
req,
USB_TYPE_VENDOR | USB_DIR_OUT,
value, index, b, blen, 5000);
@@ -172,13 +180,13 @@ static int __az6007_write(struct usb_device *udev, u8 req, u16 value,
static int az6007_write(struct dvb_usb_device *d, u8 req, u16 value,
u16 index, u8 *b, int blen)
{
- struct az6007_device_state *st = d->priv;
+ struct az6007_device_state *st = d_to_priv(d);
int ret;
if (mutex_lock_interruptible(&st->mutex) < 0)
return -EAGAIN;
- ret = __az6007_write(d->udev, req, value, index, b, blen);
+ ret = __az6007_write(d, req, value, index, b, blen);
mutex_unlock(&st->mutex);
@@ -775,13 +783,12 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
value = addr | (1 << 8);
length = 6 + msgs[i + 1].len;
len = msgs[i + 1].len;
- ret = __az6007_read(d->udev, req, value, index,
+ ret = __az6007_read(d, req, value, index,
st->data, length);
if (ret >= len) {
for (j = 0; j < len; j++)
msgs[i + 1].buf[j] = st->data[j + 5];
- } else
- ret = -EIO;
+ }
i++;
} else if (!(msgs[i].flags & I2C_M_RD)) {
/* write bytes */
@@ -797,10 +804,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
value = addr | (1 << 8);
length = msgs[i].len - 1;
len = msgs[i].len - 1;
- for (j = 0; j < len; j++)
- st->data[j] = msgs[i].buf[j + 1];
- ret = __az6007_write(d->udev, req, value, index,
- st->data, length);
+ ret = __az6007_write(d, req, value, index,
+ &msgs[i].buf[1], length);
} else {
/* read bytes */
if (az6007_xfer_debug)
@@ -815,10 +820,12 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
value = addr;
length = msgs[i].len + 6;
len = msgs[i].len;
- ret = __az6007_read(d->udev, req, value, index,
+ ret = __az6007_read(d, req, value, index,
st->data, length);
- for (j = 0; j < len; j++)
- msgs[i].buf[j] = st->data[j + 5];
+ if (ret >= len) {
+ for (j = 0; j < len; j++)
+ msgs[i].buf[j] = st->data[j + 5];
+ }
}
if (ret < 0)
goto err;
@@ -855,7 +862,7 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name)
return -ENOMEM;
/* Try to read the mac address */
- ret = __az6007_read(d->udev, AZ6007_READ_DATA, 6, 0, mac, 6);
+ ret = az6007_read(d, AZ6007_READ_DATA, 6, 0, mac, 6);
if (ret == 6)
ret = WARM;
else
@@ -864,9 +871,9 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name)
kfree(mac);
if (ret == COLD) {
- __az6007_write(d->udev, 0x09, 1, 0, NULL, 0);
- __az6007_write(d->udev, 0x00, 0, 0, NULL, 0);
- __az6007_write(d->udev, 0x00, 0, 0, NULL, 0);
+ az6007_write(d, 0x09, 1, 0, NULL, 0);
+ az6007_write(d, 0x00, 0, 0, NULL, 0);
+ az6007_write(d, 0x00, 0, 0, NULL, 0);
}
pr_debug("Device is on %s state\n",
--
Powered by blists - more mailing lists