Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3391826ybi;
        Tue, 2 Jul 2019 07:03:20 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzsz395+jY2UtzchUx42CvxC6y1EIybinUyYt9/0VdFONtTVxcpOyiOCW4Ot0X9CioVym9W
X-Received: by 2002:a63:788a:: with SMTP id t132mr13182736pgc.332.1562076200762;
        Tue, 02 Jul 2019 07:03:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1562076200; cv=none;
        d=google.com; s=arc-20160816;
        b=EO+rO+zyuYGkMqBmcaz3NSk/7HK9iaK0DRny7ml/hR/hAVOviBIMXA+KaaQKTzMNSS
         CW4eSoBWaJV2fTBBpbiykcaHtunlW+AlvcwtH61HYJ6HSe7Lw5dMZpO4MeJwFu1pp6+3
         mHtO10FIqQisL+EDjkQqpiKCINNPNqxy1D8NMCQCvtm/dM5ZoM682DFT7CrtbvY6Fttz
         CIvPR7eTR4mcgidpapyoqB1yqIRsZUVDW/wl0CRggdsGwce0jeqkJIvhPZwhHD3Uo5tM
         EMyBc2WFbV8uGt0/S+5k3Fhxqti6WqJYCxG+Sk6HYe4uY7oZjsyUnoTEkiBcl1v5Ft6s
         dl+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature;
        bh=2rKTJik0bNrJcZfdY1VXO0Y12wZ+rcUxHFgolJg0Bi0=;
        b=jQOdKM7hRGon9XHLM1oaZ7U1VaDzvEry3D0mn1Bb+j6457WKqJXPSAIDIVxbavgvIW
         LvDFUwmfOGx102l/c8vf9+K0fMLXCjZsdev4AhBIl7HdDJfGz6jOGTGAfK/RyUDvA3OT
         XpYBEy79jX0t6KHVGQ/AOIApXSsNoOPsXTqOAGAsRIhbglkuaYlI4MXR2WZuhGp7wFfr
         rgzMCFf0pdBqpLubhDV9uwTDhYq5j5jsvGNAfRpbmpWoOqlNb6U86k/Sg2saVZf3fByz
         clGVPvkv9mi3G0PuEOG3lLLJink4aVujxt2XAfSYTY7S1zGULqwnDYToGlFpuvfm29BX
         gT1w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Da1vGZYh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g190si12865429pgc.131.2019.07.02.07.02.54;
        Tue, 02 Jul 2019 07:03:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Da1vGZYh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726825AbfGBOC0 (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Tue, 2 Jul 2019 10:02:26 -0400
Received: from mail-pg1-f194.google.com ([209.85.215.194]:45021 "EHLO
        mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726341AbfGBOC0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 2 Jul 2019 10:02:26 -0400
Received: by mail-pg1-f194.google.com with SMTP id i18so3069516pgl.11;
        Tue, 02 Jul 2019 07:02:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=2rKTJik0bNrJcZfdY1VXO0Y12wZ+rcUxHFgolJg0Bi0=;
        b=Da1vGZYhN+2O3HqnlZp780wKxET6aFyhHJqF8YuGzSU1pCYGwypekf40WmSCXWoY0B
         GcuvasW+OWm6p5Iw1KN0AvSeCAujDcLzs+vYNG9j2AqwF/DF32JSQhnFTur2qOBotwla
         S5sb6M7XDCKzuiWVpxNzh5tVTt6/Wjw67XJKEdk9Ykr99CMaKfoE2hb4Aa2IUf7xeL49
         lW7ca7Qb+xXrhgHMyHk7qFUCkPfC65Sc9O+e9A1lK1HFgLSpcAxDsryVbh+cSf5ysLTK
         C8ApVpNi4d4HF5AZE9AWODuJiOp/U862aVVYDhOkqG5oZfaeNPNaS1AZ52b1Ag0MnWjM
         ja4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=2rKTJik0bNrJcZfdY1VXO0Y12wZ+rcUxHFgolJg0Bi0=;
        b=RYO8ffNGlFoitbrIJgLXnLHBqALQXXEjC4vD4UaSMrFakkz0fd253y2N4nzWZdp+wI
         tcRvhkwknPBVCrD78Y0omarPCbFsAONCnI1bCah4bA2EkBRWFApasD6uWi6MiQqLVVAe
         jMMo93mUN2ChHEBkQZu63Q7eTNO4Es9hOaMutsYw5vA7p2ubM/ZYnuYNBXFb+gYd0DAB
         J9u1mPtOoYPvvqvc/WLldi7aLb2d/F36naBv/0udSI+KCqMg6lK1XpZzYg8C2llDuxeP
         t4hP0T493tm1Achy8WDygIJ65POhFnhcPrvT/Tl3Om6CDxzc6NFrmQDD9evnVZOYFvL3
         7mjQ==
X-Gm-Message-State: APjAAAWpDOCc30hjMdzslVTUCx3CCbpaL9KLaqzz34DCfYYsmYvHcfD5
        Ku8WW4J/bsxQ0Ca9fUc2HeU=
X-Received: by 2002:a17:90a:ca0f:: with SMTP id x15mr5696221pjt.82.1562076145506;
        Tue, 02 Jul 2019 07:02:25 -0700 (PDT)
Received: from debian.net.fpt ([2405:4800:58f7:57a9:d288:4a68:7763:f51e])
        by smtp.gmail.com with ESMTPSA id j2sm16587685pfn.135.2019.07.02.07.02.21
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 02 Jul 2019 07:02:24 -0700 (PDT)
From:   Phong Tran <tranmanphong@gmail.com>
To:     syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com,
        andreyknvl@google.com, hans.verkuil@cisco.com, mchehab@kernel.org,
        skhan@linuxfoundation.org, gregkh@linuxfoundation.org
Cc:     keescook@chromium.org, linux-kernel@vger.kernel.org,
        linux-media@vger.kernel.org, linux-usb@vger.kernel.org,
        syzkaller-bugs@googlegroups.com,
        linux-kernel-mentees@lists.linuxfoundation.org,
        Phong Tran <tranmanphong@gmail.com>
Subject: [PATCH] media: usb: technisat-usb2: fix buffer overflow
Date:   Tue,  2 Jul 2019 21:02:11 +0700
Message-Id: <20190702140211.28399-1-tranmanphong@gmail.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <000000000000089d7f058683115e@google.com>
References: <000000000000089d7f058683115e@google.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The buffer will be overflow in case of the while loop can not break.
Add the checking buffer condition in while loop for avoiding
overlooping index.

This issue was reported by syzbot

Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com

Tested by:
https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ

Signed-off-by: Phong Tran <tranmanphong@gmail.com>
---
 drivers/media/usb/dvb-usb/technisat-usb2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
index c659e18b358b..4e0b6185666a 100644
--- a/drivers/media/usb/dvb-usb/technisat-usb2.c
+++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
@@ -655,7 +655,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
 #endif
 
 	ev.pulse = 0;
-	while (1) {
+	while (b != (buf + 63)) {
 		ev.pulse = !ev.pulse;
 		ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000;
 		ir_raw_event_store(d->rc_dev, &ev);
-- 
2.11.0