lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9f9d2240-63be-4232-8ad6-44821d2b9177@kernel.org>
Date: Mon, 3 Nov 2025 12:01:39 +0100
From: Hans Verkuil <hverkuil+cisco@...nel.org>
To: Edward Adam Davis <eadavis@...com>
Cc: linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
 mchehab@...nel.org, syzbot+480edd2cadb85ddb4bbe@...kaller.appspotmail.com,
 syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH V2] media: dvb-usb: Optimizing err() output

Also fix the Subject line to add "pctv452e:" as prefix.

Regards,

	Hans

On 03/11/2025 12:00, Hans Verkuil wrote:
> On 14/10/2025 02:30, Edward Adam Davis wrote:
>> syzbot reported a uninit-value in pctv452e_i2c_msg. [1]
>>
>> When the snd_len or rcv_len check fails and jumps to failed, buf is
>> uninitialized, triggering the uninit-value issue.
>>
>> Setting the err() output buf byte count to 0 before jumping to failed
>> before initializing buf and setting it to 7 after initializing buf avoids
>> this warning.
>>
>> [1]
>> BUG: KMSAN: uninit-value in hex_string+0x681/0x740 lib/vsprintf.c:1220
>>  pctv452e_i2c_msg+0x82a/0x8f0 drivers/media/usb/dvb-usb/pctv452e.c:467
>>  pctv452e_i2c_xfer+0x2e6/0x4c0 drivers/media/usb/dvb-usb/pctv452e.c:502
>>
>> Reported-by: syzbot+480edd2cadb85ddb4bbe@...kaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=480edd2cadb85ddb4bbe
>> Signed-off-by: Edward Adam Davis <eadavis@...com>
>> ---
>> V1 -> V2: subject typos
>>
>>  drivers/media/usb/dvb-usb/pctv452e.c | 5 +++--
>>  1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/media/usb/dvb-usb/pctv452e.c b/drivers/media/usb/dvb-usb/pctv452e.c
>> index 5094de9a312e..3b6e86a8e9ff 100644
>> --- a/drivers/media/usb/dvb-usb/pctv452e.c
>> +++ b/drivers/media/usb/dvb-usb/pctv452e.c
>> @@ -420,7 +420,7 @@ static int pctv452e_i2c_msg(struct dvb_usb_device *d, u8 addr,
>>  	struct pctv452e_state *state = d->priv;
>>  	u8 *buf;
>>  	u8 id;
>> -	int ret;
>> +	int ret, plen = 0;
> 
> Adding a plen variable isn't the right fix...
> 
>>  
>>  	buf = kmalloc(64, GFP_KERNEL);
>>  	if (!buf)
>> @@ -432,6 +432,7 @@ static int pctv452e_i2c_msg(struct dvb_usb_device *d, u8 addr,
>>  	if (snd_len > 64 - 7 || rcv_len > 64 - 7)
>>  		goto failed;
> 
> ...this check should be moved up to before the kmalloc and just return -EINVAL.
> That also avoids incrementing state->c in that case.
> 
> Regards,
> 
> 	Hans
> 
>>  
>> +	plen = 7;
>>  	buf[0] = SYNC_BYTE_OUT;
>>  	buf[1] = id;
>>  	buf[2] = PCTV_CMD_I2C;
>> @@ -466,7 +467,7 @@ static int pctv452e_i2c_msg(struct dvb_usb_device *d, u8 addr,
>>  failed:
>>  	err("I2C error %d; %02X %02X  %02X %02X %02X -> %*ph",
>>  	     ret, SYNC_BYTE_OUT, id, addr << 1, snd_len, rcv_len,
>> -	     7, buf);
>> +	     plen, buf);
>>  
>>  	kfree(buf);
>>  	return ret;
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ