| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251210055532.25737-2-dharanitharan725@gmail.com>
Date: Wed, 10 Dec 2025 05:55:33 +0000
From: Dharanitharan R <dharanitharan725@...il.com>
To: linux-media@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
mchehab@...nel.org,
micha@...edict.org,
syzkaller-bugs@...glegroups.com,
syzbot+d99f3a288cc7d8ef60fb@...kaller.appspotmail.com,
dharanitharan725@...il.com,
stable@...r.kernel.org
Subject: [PATCH v2] media: dw2102: validate I2C messages in su3000_i2c_transfer()
syzbot reports a general protection fault caused by su3000_i2c_transfer()
dereferencing msg->buf without validating the message length or buffer
pointer. Although i2c-dev blocks zero-length messages, malformed I²C
messages can still reach the driver through the DVB USB subsystem.
Add strict validation of each message to prevent NULL-pointer
dereferences.
Reported-by: syzbot+d99f3a288cc7d8ef60fb@...kaller.appspotmail.com
Fixes: 0e148a522b84 ("media: dw2102: Don't translate i2c read into write")
Closes: https://syzkaller.appspot.com/bug?extid=d99f3a288cc7d8ef60fb
Cc: stable@...r.kernel.org
Signed-off-by: Dharanitharan R <dharanitharan725@...il.com>
---
drivers/media/usb/dvb-usb/dw2102.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
index 4fecf2f965e9..0dd210ea16f3 100644
--- a/drivers/media/usb/dvb-usb/dw2102.c
+++ b/drivers/media/usb/dvb-usb/dw2102.c
@@ -733,6 +733,36 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
return -EAGAIN;
}
+ /* Validate incoming I²C messages */
+ if (!msg || num <= 0) {
+ mutex_unlock(&d->data_mutex);
+ mutex_unlock(&d->i2c_mutex);
+ return -EINVAL;
+ }
+
+ for (j = 0; j < num; j++) {
+ /* msg buffer must exist */
+ if (!msg[j].buf) {
+ mutex_unlock(&d->data_mutex);
+ mutex_unlock(&d->i2c_mutex);
+ return -EINVAL;
+ }
+
+ /* zero or negative length is invalid */
+ if (msg[j].len <= 0) {
+ mutex_unlock(&d->data_mutex);
+ mutex_unlock(&d->i2c_mutex);
+ return -EINVAL;
+ }
+
+ /* protect against unreasonable sizes */
+ if (msg[j].len > 256) {
+ mutex_unlock(&d->data_mutex);
+ mutex_unlock(&d->i2c_mutex);
+ return -EOPNOTSUPP;
+ }
+ }
+
j = 0;
while (j < num) {
switch (msg[j].addr) {
--
2.43.0
Powered by blists - more mailing lists