| Message ID | tencent_93C4465D499DEEDF6EE60CB667DC46D0D206@qq.com |
|---|---|
| State | New |
| Headers | show |
| Series | media: az6007: Add upper bound check to the data of device state | expand |
diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c index 65ef045b74ca..6322894eda27 100644 --- a/drivers/media/usb/dvb-usb-v2/az6007.c +++ b/drivers/media/usb/dvb-usb-v2/az6007.c @@ -806,7 +806,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n", addr, msgs[i].len); - if (msgs[i].len < 1) { + if (msgs[i].len < 1 || + msgs[i].len > ARRAY_SIZE(st->data) - 5) { ret = -EIO; goto err; }
syzbot report a corrupted list in az6007_i2c_xfer. [1] Before accessing the member data of the struct az6007_device_state, only the lower boundary of data is checked, but the upper boundary is not checked. When the value of msgs[i].len is damaged or too large, it will cause out of bounds access to st->data. [1] UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30 index 4096 is out of range for type 'unsigned char [4096]' CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full) Call Trace: <TASK> az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821 i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343 i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155 do_loop_readv_writev fs/read_write.c:833 [inline] do_preadv+0x1af/0x270 fs/read_write.c:1130 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209 Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)