| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250905160645.4152096-1-aha310510@gmail.com>
Date: Sat, 6 Sep 2025 01:06:45 +0900
From: Jeongjun Park <aha310510@...il.com>
To: syzbot+0192952caa411a3be209@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com,
aha310510@...il.com
Subject: Re: [syzbot] [media?] BUG: corrupted list in az6007_i2c_xfer
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
drivers/media/usb/dvb-usb-v2/az6007.c | 70 +++++++++++++++------------
1 file changed, 38 insertions(+), 32 deletions(-)
diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..af750840503e 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -97,13 +97,19 @@ static struct mt2063_config az6007_mt2063_config = {
.refclock = 36125000,
};
-static int __az6007_read(struct usb_device *udev, u8 req, u16 value,
- u16 index, u8 *b, int blen)
+static int __az6007_read(struct dvb_usb_device *d, struct az6007_device_state *st,
+ u8 req, u16 value, u16 index, u8 *b, int blen)
{
int ret;
- ret = usb_control_msg(udev,
- usb_rcvctrlpipe(udev, 0),
+ if (blen > sizeof(st->data)) {
+ pr_err("az6007: tried to read %d bytes, but I2C max size is %lu bytes\n",
+ blen, sizeof(st->data));
+ return -EOPNOTSUPP;
+ }
+
+ ret = usb_control_msg(d->udev,
+ usb_rcvctrlpipe(d->udev, 0),
req,
USB_TYPE_VENDOR | USB_DIR_IN,
value, index, b, blen, 5000);
@@ -125,24 +131,30 @@ static int __az6007_read(struct usb_device *udev, u8 req, u16 value,
static int az6007_read(struct dvb_usb_device *d, u8 req, u16 value,
u16 index, u8 *b, int blen)
{
- struct az6007_device_state *st = d->priv;
+ struct az6007_device_state *st = d_to_priv(d);
int ret;
if (mutex_lock_interruptible(&st->mutex) < 0)
return -EAGAIN;
- ret = __az6007_read(d->udev, req, value, index, b, blen);
+ ret = __az6007_read(d, st, req, value, index, b, blen);
mutex_unlock(&st->mutex);
return ret;
}
-static int __az6007_write(struct usb_device *udev, u8 req, u16 value,
- u16 index, u8 *b, int blen)
+static int __az6007_write(struct dvb_usb_device *d, struct az6007_device_state *st,
+ u8 req, u16 value, u16 index, u8 *b, int blen)
{
int ret;
+ if (blen > sizeof(st->data)) {
+ pr_err("az6007: tried to write %d bytes, but I2C max size is %lu bytes\n",
+ blen, sizeof(st->data));
+ return -EOPNOTSUPP;
+ }
+
if (az6007_xfer_debug) {
printk(KERN_DEBUG "az6007: OUT req: %02x, value: %04x, index: %04x\n",
req, value, index);
@@ -150,14 +162,8 @@ static int __az6007_write(struct usb_device *udev, u8 req, u16 value,
DUMP_PREFIX_NONE, b, blen);
}
- if (blen > 64) {
- pr_err("az6007: tried to write %d bytes, but I2C max size is 64 bytes\n",
- blen);
- return -EOPNOTSUPP;
- }
-
- ret = usb_control_msg(udev,
- usb_sndctrlpipe(udev, 0),
+ ret = usb_control_msg(d->udev,
+ usb_sndctrlpipe(d->udev, 0),
req,
USB_TYPE_VENDOR | USB_DIR_OUT,
value, index, b, blen, 5000);
@@ -172,13 +178,13 @@ static int __az6007_write(struct usb_device *udev, u8 req, u16 value,
static int az6007_write(struct dvb_usb_device *d, u8 req, u16 value,
u16 index, u8 *b, int blen)
{
- struct az6007_device_state *st = d->priv;
+ struct az6007_device_state *st = d_to_priv(d);
int ret;
if (mutex_lock_interruptible(&st->mutex) < 0)
return -EAGAIN;
- ret = __az6007_write(d->udev, req, value, index, b, blen);
+ ret = __az6007_write(d, st, req, value, index, b, blen);
mutex_unlock(&st->mutex);
@@ -775,13 +781,12 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
value = addr | (1 << 8);
length = 6 + msgs[i + 1].len;
len = msgs[i + 1].len;
- ret = __az6007_read(d->udev, req, value, index,
+ ret = __az6007_read(d, st, req, value, index,
st->data, length);
if (ret >= len) {
for (j = 0; j < len; j++)
msgs[i + 1].buf[j] = st->data[j + 5];
- } else
- ret = -EIO;
+ }
i++;
} else if (!(msgs[i].flags & I2C_M_RD)) {
/* write bytes */
@@ -797,10 +802,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
value = addr | (1 << 8);
length = msgs[i].len - 1;
len = msgs[i].len - 1;
- for (j = 0; j < len; j++)
- st->data[j] = msgs[i].buf[j + 1];
- ret = __az6007_write(d->udev, req, value, index,
- st->data, length);
+ ret = __az6007_write(d, st, req, value, index,
+ &msgs[i].buf[1], length);
} else {
/* read bytes */
if (az6007_xfer_debug)
@@ -815,10 +818,12 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
value = addr;
length = msgs[i].len + 6;
len = msgs[i].len;
- ret = __az6007_read(d->udev, req, value, index,
+ ret = __az6007_read(d, st, req, value, index,
st->data, length);
- for (j = 0; j < len; j++)
- msgs[i].buf[j] = st->data[j + 5];
+ if (ret >= len) {
+ for (j = 0; j < len; j++)
+ msgs[i].buf[j] = st->data[j + 5];
+ }
}
if (ret < 0)
goto err;
@@ -845,6 +850,7 @@ static const struct i2c_algorithm az6007_i2c_algo = {
static int az6007_identify_state(struct dvb_usb_device *d, const char **name)
{
+ struct az6007_device_state *state = d_to_priv(d);
int ret;
u8 *mac;
@@ -855,7 +861,7 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name)
return -ENOMEM;
/* Try to read the mac address */
- ret = __az6007_read(d->udev, AZ6007_READ_DATA, 6, 0, mac, 6);
+ ret = __az6007_read(d, state, AZ6007_READ_DATA, 6, 0, mac, 6);
if (ret == 6)
ret = WARM;
else
@@ -864,9 +870,9 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name)
kfree(mac);
if (ret == COLD) {
- __az6007_write(d->udev, 0x09, 1, 0, NULL, 0);
- __az6007_write(d->udev, 0x00, 0, 0, NULL, 0);
- __az6007_write(d->udev, 0x00, 0, 0, NULL, 0);
+ __az6007_write(d, state, 0x09, 1, 0, NULL, 0);
+ __az6007_write(d, state, 0x00, 0, 0, NULL, 0);
+ __az6007_write(d, state, 0x00, 0, 0, NULL, 0);
}
pr_debug("Device is on %s state\n",
--
Powered by blists - more mailing lists