lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <d661ae00-d100-46ef-8a15-50919b34daae@kernel.org>
Date: Mon, 3 Nov 2025 11:06:21 +0100
From: Hans Verkuil <hverkuil+cisco@...nel.org>
To: Edward Adam Davis <eadavis@...com>,
 syzbot+0192952caa411a3be209@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
 mchehab@...nel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] media: az6007: Add upper bound check to the data of
 device state

On 21/04/2025 16:31, Edward Adam Davis wrote:
> syzbot report a corrupted list in az6007_i2c_xfer. [1]
> 
> Before accessing the member data of the struct az6007_device_state, only
> the lower boundary of data is checked, but the upper boundary is not checked.
> When the value of msgs[i].len is damaged or too large, it will cause out
> of bounds access to st->data.
> 
> [1]
> UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30
> index 4096 is out of range for type 'unsigned char [4096]'
> CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full)
> Call Trace:
>  <TASK>
>  az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821
>  i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343
>  i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155
>  do_loop_readv_writev fs/read_write.c:833 [inline]
>  do_preadv+0x1af/0x270 fs/read_write.c:1130
>  do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
> 
> Reported-by: syzbot+0192952caa411a3be209@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
> Signed-off-by: Edward Adam Davis <eadavis@...com>
> ---
>  drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
> index 65ef045b74ca..6322894eda27 100644
> --- a/drivers/media/usb/dvb-usb-v2/az6007.c
> +++ b/drivers/media/usb/dvb-usb-v2/az6007.c
> @@ -806,7 +806,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
>  			if (az6007_xfer_debug)
>  				printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
>  				       addr, msgs[i].len);
> -			if (msgs[i].len < 1) {
> +			if (msgs[i].len < 1 ||
> +			    msgs[i].len > ARRAY_SIZE(st->data) - 5) {

Hmm, shouldn't this be '- 6'? Since a few lines below this the length passed
to __az6007_read is msgs[i].len + 6.

Regards,

	Hans

>  				ret = -EIO;
>  				goto err;
>  			}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ