| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251117123101.1641065-1-Sergey.Nalivayko@kaspersky.com>
Date: Mon, 17 Nov 2025 15:31:01 +0300
From: Nalivayko Sergey <Sergey.Nalivayko@...persky.com>
To: <linux-media@...r.kernel.org>
CC: Nalivayko Sergey <Sergey.Nalivayko@...persky.com>,
<linux-kernel@...r.kernel.org>, <mchehab@...nel.org>,
<lvc-project@...uxtesting.org>,
<syzbot+0192952caa411a3be209@...kaller.appspotmail.com>,
<stable@...r.kernel.org>
Subject: [PATCH] media: az6007: validate I2C message length
syzbot reports a UBSAN issue as below:
UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30
index 4096 is out of range for type 'unsigned char [4096]'
CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x11c/0x160 lib/ubsan.c:453
az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821
__i2c_transfer+0x6b3/0x2190 drivers/i2c/i2c-core-base.c:2259
i2c_transfer drivers/i2c/i2c-core-base.c:2315 [inline]
i2c_transfer+0x1da/0x380 drivers/i2c/i2c-core-base.c:2291
i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343
i2c_master_recv include/linux/i2c.h:79 [inline]
i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155
do_loop_readv_writev fs/read_write.c:845 [inline]
do_loop_readv_writev fs/read_write.c:833 [inline]
vfs_readv+0x6bc/0x8a0 fs/read_write.c:1018
do_preadv+0x1af/0x270 fs/read_write.c:1130
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
The issue occurs because the az6007 driver does not validate the length
of the received I2C message. While iterating over st->data, the index 'j'
may exceed the maximum buffer size of 4096 elements.
Add validation of msgs.len based on buffer length value passed
to __az6007_read/write functions to prevent out-of-bounds access.
Reported-by: syzbot+0192952caa411a3be209@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d8913f1760bc090ee46e\
Fixes: 71d676345698 ("[media] dvb: Add a new driver for az6007")
Cc: stable@...r.kernel.org
Signed-off-by: Nalivayko Sergey <Sergey.Nalivayko@...persky.com>
---
drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..c966de4ea6e1 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -770,6 +770,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
if (az6007_xfer_debug)
printk(KERN_DEBUG "az6007: I2C W/R addr=0x%x len=%d/%d\n",
addr, msgs[i].len, msgs[i + 1].len);
+ if (msgs[i + 1].len + 6 > ARRAY_SIZE(st->data)) {
+ ret = -EIO;
+ goto err;
+ }
req = AZ6007_I2C_RD;
index = msgs[i].buf[0];
value = addr | (1 << 8);
@@ -788,7 +792,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
if (az6007_xfer_debug)
printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
addr, msgs[i].len);
- if (msgs[i].len < 1) {
+ if (msgs[i].len < 1 || msgs[i].len - 1 > ARRAY_SIZE(st->data)) {
ret = -EIO;
goto err;
}
@@ -806,7 +810,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
if (az6007_xfer_debug)
printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
addr, msgs[i].len);
- if (msgs[i].len < 1) {
+ if (msgs[i].len < 1 || msgs[i].len + 6 > ARRAY_SIZE(st->data)) {
ret = -EIO;
goto err;
}
--
2.39.5
Powered by blists - more mailing lists