| Message ID | tencent_0CAE84EB4D452DD8560158AD0792021B6A06@qq.com |
|---|---|
| State | Accepted |
| Commit | b97719a66970601cd3151a3e2020f4454a1c4ff6 |
| Headers | show |
| Series | media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer | expand |
You are right. I am very sorry for my mistake and I will send another patch fix this. > Is the first chunk of your patch really necessary? > `msg[0].len < 2` includes the `msg[0].len == 0` case, > so the `msg.buf == NULL && msg.len == 0` case is (seemed to me) > safely ejected as it is. > >> --- a/drivers/media/usb/dvb-usb-v2/gl861.c >> +++ b/drivers/media/usb/dvb-usb-v2/gl861.c >> @@ -97,7 +97,7 @@ static int gl861_i2c_master_xfer(struct i2c_adapt >> >> er *adap, struct i2c_msg msg[], >> /* XXX: I2C adapter maximum data lengths are not tested */ >> if (num == 1 && !(msg[0].flags & I2C_M_RD)) { >> /* I2C write */ >> - if (msg[0].len < 2 || msg[0].len > sizeof(ctx->buf)) { >> + if (msg[0].len == 0 || msg[0].len > sizeof(ctx->buf)) { >> ret = -EOPNOTSUPP; >> goto err; >> } > > regards, > akihiro >
diff --git a/drivers/media/usb/dvb-usb-v2/gl861.c b/drivers/media/usb/dvb-usb-v2/gl861.c index 0c434259c36f..a552b646d407 100644 --- a/drivers/media/usb/dvb-usb-v2/gl861.c +++ b/drivers/media/usb/dvb-usb-v2/gl861.c @@ -97,7 +97,7 @@ static int gl861_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], /* XXX: I2C adapter maximum data lengths are not tested */ if (num == 1 && !(msg[0].flags & I2C_M_RD)) { /* I2C write */ - if (msg[0].len < 2 || msg[0].len > sizeof(ctx->buf)) { + if (msg[0].len == 0 || msg[0].len > sizeof(ctx->buf)) { ret = -EOPNOTSUPP; goto err; } @@ -120,7 +120,7 @@ static int gl861_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], } else if (num == 2 && !(msg[0].flags & I2C_M_RD) && (msg[1].flags & I2C_M_RD)) { /* I2C write + read */ - if (msg[0].len > 1 || msg[1].len > sizeof(ctx->buf)) { + if (msg[0].len != 1 || msg[1].len > sizeof(ctx->buf)) { ret = -EOPNOTSUPP; goto err; }
In gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach gl861_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com> --- drivers/media/usb/dvb-usb-v2/gl861.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)