Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3391826ybi; Tue, 2 Jul 2019 07:03:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqzsz395+jY2UtzchUx42CvxC6y1EIybinUyYt9/0VdFONtTVxcpOyiOCW4Ot0X9CioVym9W X-Received: by 2002:a63:788a:: with SMTP id t132mr13182736pgc.332.1562076200762; Tue, 02 Jul 2019 07:03:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562076200; cv=none; d=google.com; s=arc-20160816; b=EO+rO+zyuYGkMqBmcaz3NSk/7HK9iaK0DRny7ml/hR/hAVOviBIMXA+KaaQKTzMNSS CW4eSoBWaJV2fTBBpbiykcaHtunlW+AlvcwtH61HYJ6HSe7Lw5dMZpO4MeJwFu1pp6+3 mHtO10FIqQisL+EDjkQqpiKCINNPNqxy1D8NMCQCvtm/dM5ZoM682DFT7CrtbvY6Fttz CIvPR7eTR4mcgidpapyoqB1yqIRsZUVDW/wl0CRggdsGwce0jeqkJIvhPZwhHD3Uo5tM EMyBc2WFbV8uGt0/S+5k3Fhxqti6WqJYCxG+Sk6HYe4uY7oZjsyUnoTEkiBcl1v5Ft6s dl+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=2rKTJik0bNrJcZfdY1VXO0Y12wZ+rcUxHFgolJg0Bi0=; b=jQOdKM7hRGon9XHLM1oaZ7U1VaDzvEry3D0mn1Bb+j6457WKqJXPSAIDIVxbavgvIW LvDFUwmfOGx102l/c8vf9+K0fMLXCjZsdev4AhBIl7HdDJfGz6jOGTGAfK/RyUDvA3OT XpYBEy79jX0t6KHVGQ/AOIApXSsNoOPsXTqOAGAsRIhbglkuaYlI4MXR2WZuhGp7wFfr rgzMCFf0pdBqpLubhDV9uwTDhYq5j5jsvGNAfRpbmpWoOqlNb6U86k/Sg2saVZf3fByz clGVPvkv9mi3G0PuEOG3lLLJink4aVujxt2XAfSYTY7S1zGULqwnDYToGlFpuvfm29BX gT1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Da1vGZYh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g190si12865429pgc.131.2019.07.02.07.02.54; Tue, 02 Jul 2019 07:03:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Da1vGZYh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726825AbfGBOC0 (ORCPT + 99 others); Tue, 2 Jul 2019 10:02:26 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:45021 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726341AbfGBOC0 (ORCPT ); Tue, 2 Jul 2019 10:02:26 -0400 Received: by mail-pg1-f194.google.com with SMTP id i18so3069516pgl.11; Tue, 02 Jul 2019 07:02:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=2rKTJik0bNrJcZfdY1VXO0Y12wZ+rcUxHFgolJg0Bi0=; b=Da1vGZYhN+2O3HqnlZp780wKxET6aFyhHJqF8YuGzSU1pCYGwypekf40WmSCXWoY0B GcuvasW+OWm6p5Iw1KN0AvSeCAujDcLzs+vYNG9j2AqwF/DF32JSQhnFTur2qOBotwla S5sb6M7XDCKzuiWVpxNzh5tVTt6/Wjw67XJKEdk9Ykr99CMaKfoE2hb4Aa2IUf7xeL49 lW7ca7Qb+xXrhgHMyHk7qFUCkPfC65Sc9O+e9A1lK1HFgLSpcAxDsryVbh+cSf5ysLTK C8ApVpNi4d4HF5AZE9AWODuJiOp/U862aVVYDhOkqG5oZfaeNPNaS1AZ52b1Ag0MnWjM ja4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=2rKTJik0bNrJcZfdY1VXO0Y12wZ+rcUxHFgolJg0Bi0=; b=RYO8ffNGlFoitbrIJgLXnLHBqALQXXEjC4vD4UaSMrFakkz0fd253y2N4nzWZdp+wI tcRvhkwknPBVCrD78Y0omarPCbFsAONCnI1bCah4bA2EkBRWFApasD6uWi6MiQqLVVAe jMMo93mUN2ChHEBkQZu63Q7eTNO4Es9hOaMutsYw5vA7p2ubM/ZYnuYNBXFb+gYd0DAB J9u1mPtOoYPvvqvc/WLldi7aLb2d/F36naBv/0udSI+KCqMg6lK1XpZzYg8C2llDuxeP t4hP0T493tm1Achy8WDygIJ65POhFnhcPrvT/Tl3Om6CDxzc6NFrmQDD9evnVZOYFvL3 7mjQ== X-Gm-Message-State: APjAAAWpDOCc30hjMdzslVTUCx3CCbpaL9KLaqzz34DCfYYsmYvHcfD5 Ku8WW4J/bsxQ0Ca9fUc2HeU= X-Received: by 2002:a17:90a:ca0f:: with SMTP id x15mr5696221pjt.82.1562076145506; Tue, 02 Jul 2019 07:02:25 -0700 (PDT) Received: from debian.net.fpt ([2405:4800:58f7:57a9:d288:4a68:7763:f51e]) by smtp.gmail.com with ESMTPSA id j2sm16587685pfn.135.2019.07.02.07.02.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Jul 2019 07:02:24 -0700 (PDT) From: Phong Tran To: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com, andreyknvl@google.com, hans.verkuil@cisco.com, mchehab@kernel.org, skhan@linuxfoundation.org, gregkh@linuxfoundation.org Cc: keescook@chromium.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com, linux-kernel-mentees@lists.linuxfoundation.org, Phong Tran Subject: [PATCH] media: usb: technisat-usb2: fix buffer overflow Date: Tue, 2 Jul 2019 21:02:11 +0700 Message-Id: <20190702140211.28399-1-tranmanphong@gmail.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <000000000000089d7f058683115e@google.com> References: <000000000000089d7f058683115e@google.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The buffer will be overflow in case of the while loop can not break. Add the checking buffer condition in while loop for avoiding overlooping index. This issue was reported by syzbot Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com Tested by: https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ Signed-off-by: Phong Tran --- drivers/media/usb/dvb-usb/technisat-usb2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c index c659e18b358b..4e0b6185666a 100644 --- a/drivers/media/usb/dvb-usb/technisat-usb2.c +++ b/drivers/media/usb/dvb-usb/technisat-usb2.c @@ -655,7 +655,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d) #endif ev.pulse = 0; - while (1) { + while (b != (buf + 63)) { ev.pulse = !ev.pulse; ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000; ir_raw_event_store(d->rc_dev, &ev); -- 2.11.0