Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3415870ybi; Tue, 2 Jul 2019 07:24:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqzqLTYh0zk9b5PWqv9qizfrx0Ye7ZBLMk8DM4wADMC6RBGUxoGuZdKPAkYQlNCvhEZcokF2 X-Received: by 2002:a63:5045:: with SMTP id q5mr29822088pgl.380.1562077443622; Tue, 02 Jul 2019 07:24:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562077443; cv=none; d=google.com; s=arc-20160816; b=zV5dIJAJ/REQuHFyVmkpEGDWwR88spxwmK/Boi4k4o2KQ4kWhU8we/9Y+Gq2sgathu RIRbE+qkj5wqRH/dZrLaGz1FAevYZYoPnWf2NccdmMqVfwu54czCyZlSgfmiROpzufiz acpxD4DyfYjBBdtSTEMuL059iSZiiLKtuniXXMBFJpN9Gop0JZUwIEjsjkUfWnVeW4jU VN8t4YUnVJHAl/8yiEZgj6iQPxnQ5KLoQt7n72OaflbWOkPpkcudfujc2UUogQDNKxFN x5YgNBNnIV7BnWQYUY0kLaTLowMfCyq6eHb6XJKybAd3AAZwTIPVVAmKXzVKITbKESm9 UD/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=fYd2nLSJd2JtuXW4PvhhIc8hhI47lGgNieCsOyTTMr0=; b=Jisn6zm4869qr9tvfny1xHebtDiMsfVJz5ThlnxA+APZjzylQuS9rJ+M2v7/GZ7az0 6Oct94AaTBpTnvoc7l4bs89TJutX9Ssd+Mn2ACXzDfZb3edRndsmA8eX9q1PeaKQXhbe 1iAT5bEyLGX9nQwheTwo+nGcD4Qx4ndP8o6sBsChiHYupWwgPRBuVChNFDoXZ59DYS2b p+3RpXmqjROVArrYQ+Ct7+ef3H0m8/mMqPxDNPZwve0Z53GYCuhWkB3rQfLv3GCUr5/+ TBR0TXR64Nj8+eTDN9FQtbWoCGVvHUv2UgZcq9+QnmmifVx6yBrNsdrElja9eAhC9LZB s+Jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=hJUf2C50; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 138si14221410pfy.77.2019.07.02.07.23.48; Tue, 02 Jul 2019 07:24:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=hJUf2C50; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727192AbfGBOX0 (ORCPT + 99 others); Tue, 2 Jul 2019 10:23:26 -0400 Received: from mail-wr1-f68.google.com ([209.85.221.68]:35210 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727083AbfGBOX0 (ORCPT ); Tue, 2 Jul 2019 10:23:26 -0400 Received: by mail-wr1-f68.google.com with SMTP id c27so10371244wrb.2 for ; Tue, 02 Jul 2019 07:23:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=fYd2nLSJd2JtuXW4PvhhIc8hhI47lGgNieCsOyTTMr0=; b=hJUf2C50kZgFGsrA5T0byl86DfevCCPZn4MqhTrIVgX4gvlXGnmRKs3FMRNHqyFSp+ 6IVWVp6dgqLwZA3AvbRCC7/YxNhuYyWMeLXftCsawO8Siq2PzyZPNbIzyMnfUZAbhEcd fv5C2x53P72r17ITIeLXXNxlJye7wUFmiLrGNdCtfAiM8EId0E35kVIXCgEBf6I8nuzQ QJP2TWdcXNytr0zwQYmWklWkr+EbsMYlfQOLUzSIbjbooMiUphiMViB1X46QuWD4n28i oAOJGR8grQLUjxu3lQ9QSxIyBUyV3kUcJpNnMyO2PoAvCf00+z+1zKOGqsB8TdbJJRfN 4CEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=fYd2nLSJd2JtuXW4PvhhIc8hhI47lGgNieCsOyTTMr0=; b=m/BP2xSgyVK5WGElVusgwRErnj2DB8zC8EklXObMI5q6zkC6QNHRjRyrbMVwri/IdD tHfa+XkjqYMEStatNTSRNvKONUzwVUqtHDsMMuZ4vNTPqiDXH+fsu/KkzxBgx/z8Cv2Q PGcEy2GXMs2cRrfz3va5OqsRN9bkBckNQRZmd8FeWcVQfbjT88MHt2XVdL0OvOEMmxoK 2rt8aHnts0NBxtOKUP9918GaO/ukggOdqL80VYwyFKVbl+/EsKCF3pJhhXQtYK1Jlpkn mDKTWS5bNXVPREwUJG7ozBl4C6QPWl0S0ZT/T1hdryat9sUluk8d7ossRf5dm2n363l1 sA6Q== X-Gm-Message-State: APjAAAWba4dRQfWWGx7v9C+bXsRHvlqvGaVb/VMMGTVJOWjrsRBSMqy/ +JQSj6jpYul57dJuxbTxt+2QlEdiswOcwMud2KUnEk7DB2E= X-Received: by 2002:a5d:518f:: with SMTP id k15mr23509522wrv.321.1562077403779; Tue, 02 Jul 2019 07:23:23 -0700 (PDT) MIME-Version: 1.0 References: <000000000000089d7f058683115e@google.com> <20190702140211.28399-1-tranmanphong@gmail.com> In-Reply-To: <20190702140211.28399-1-tranmanphong@gmail.com> From: Alexander Potapenko Date: Tue, 2 Jul 2019 16:23:11 +0200 Message-ID: Subject: Re: [PATCH] media: usb: technisat-usb2: fix buffer overflow To: Phong Tran Cc: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com, Andrey Konovalov , hans.verkuil@cisco.com, mchehab@kernel.org, skhan@linuxfoundation.org, gregkh@linuxfoundation.org, Kees Cook , LKML , linux-media@vger.kernel.org, linux-usb@vger.kernel.org, syzkaller-bugs , linux-kernel-mentees@lists.linuxfoundation.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 2, 2019 at 4:02 PM Phong Tran wrote: > > The buffer will be overflow in case of the while loop can not break. > Add the checking buffer condition in while loop for avoiding > overlooping index. > > This issue was reported by syzbot > > Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com > > Tested by: > https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ > > Signed-off-by: Phong Tran > --- > drivers/media/usb/dvb-usb/technisat-usb2.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/u= sb/dvb-usb/technisat-usb2.c > index c659e18b358b..4e0b6185666a 100644 > --- a/drivers/media/usb/dvb-usb/technisat-usb2.c > +++ b/drivers/media/usb/dvb-usb/technisat-usb2.c > @@ -655,7 +655,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_devic= e *d) > #endif > > ev.pulse =3D 0; > - while (1) { > + while (b !=3D (buf + 63)) { I think it won't hurt to either use ARRAY_SIZE here, or define some magic constant for the buffer size in struct technisat_usb2_state. > ev.pulse =3D !ev.pulse; > ev.duration =3D (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_C= LOCK_TICK) / 1000; > ir_raw_event_store(d->rc_dev, &ev); > -- > 2.11.0 > > -- > You received this message because you are subscribed to the Google Groups= "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgi= d/syzkaller-bugs/20190702140211.28399-1-tranmanphong%40gmail.com. > For more options, visit https://groups.google.com/d/optout. --=20 Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Stra=C3=9Fe, 33 80636 M=C3=BCnchen Gesch=C3=A4ftsf=C3=BChrer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg