Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp210163ybi; Tue, 2 Jul 2019 19:15:38 -0700 (PDT) X-Google-Smtp-Source: APXvYqyMXzz41CpUsuiDgMriI2yI8927ZegXw2Wm7fihZJVao4FSSSAq8osSesq8d1Mu92QRUz7k X-Received: by 2002:a63:f857:: with SMTP id v23mr19640723pgj.228.1562120138111; Tue, 02 Jul 2019 19:15:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562120138; cv=none; d=google.com; s=arc-20160816; b=YcLnuUsIKX1wiYP0TADWpccnqfGT2EYb9bFyprDh7kELXntn3MbVlQnvA/NdQUovdI +1VPYCy+vpmyuW1CCOSM2ar7Z+NaK0tZvGb+Ysc9MisuHCLVhAk0vKHQJLamP5vUIzKs o+PSunTtUx6ShDipVOBTgp0cH3O6h7H8iMBgmeBweNUlTUok68Js63Ztkz5P5QuXDBaX xwt8FXEX36cVKQ/8mZB72Kp+GoxGAdovvKgMZprP9RmTuFhc8qrTlSkvoVK39x4jMVtv SIffn0JLlgbbst1jQeNBkbj5FHYxLBIOO8oq27nwxDAgoTlI3jbj0PHSdbkokv2HshFc NuIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=Isqfps/O6LwRnu+dRSzriy5CxI0umRBIFUrqM+okdCs=; b=ZooMY1c/WPcI9JaNgXfCBuATZZIHvTDnHPzJuyYtbTzvnOqteDIsiUgV/8lFbYHQzr 43YUt64e5VDwZ8zjd6GKfcStGQIY0Y7oSNv8davIle1snu12BFCGfZAzOShNfrX7B8qw h3JofFRoIZpaMy8fXGDizbngOn3HBLWVJSkrXlG2nxOKT6BoLEABbeeVLbnSrUDjiKmG xYhqEbIJ6KQBvr9MsHhlJaSJo7hqEjw21IBCEVusjAVWjyimQo4le4Hv07cz/PD9ufwz NguMx5ExUrULeEzzETqr0NxGiLy+P/iTBeqYoCanpjotQhbgzkIfsQNGtf0AOBG48miI N4Zg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=eMgdo5cx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 28si473047pgy.252.2019.07.02.19.15.22; Tue, 02 Jul 2019 19:15:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=eMgdo5cx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727083AbfGCCPC (ORCPT + 99 others); Tue, 2 Jul 2019 22:15:02 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:45575 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726329AbfGCCPC (ORCPT ); Tue, 2 Jul 2019 22:15:02 -0400 Received: by mail-pl1-f193.google.com with SMTP id bi6so299697plb.12; Tue, 02 Jul 2019 19:15:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Isqfps/O6LwRnu+dRSzriy5CxI0umRBIFUrqM+okdCs=; b=eMgdo5cxD8xocs0qEkS5EHNLEtNLZV+yO9aTlypZIbft8FBVAa/yS1ZqB/gmuI9J/0 Y8Pu2DxexEkDszk9Vt58d1mBAWJBnWu1X/ISi5igs1bfkab1EeO/UYJxuIodJvv+bug8 RLH6+zu3qy8OB+mCmUxEv2K/a6RmUkDmtOIcoYpld8hLAO5MFAPgxNp+m6D4M9n0Ouc3 DHY9n/2eiMdeYjvHF07NkRPu7wpGYeBMmMZXtpBr1e91vJDDJf405wmxpI0DIi/xxU+x tuuOLTUVeWD5skWO0zu3+1OIW3Bq7UykHev7jtjweIeTsCh1C7mqHXKyVYOfCz+rDy+o mSPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Isqfps/O6LwRnu+dRSzriy5CxI0umRBIFUrqM+okdCs=; b=Aeavo+47bzaP0DLTpADFMMtDRqyFIN21vTuHT0oykWfA0sH1wajrDBV2i0dF5Xf084 XUu7NH3rM9vbTCbhwcbJebcbZvp/T9gBQeNcGa8qN0SzTEyCyB8icjg3U948Qmbx6IDr 8RnTIPCWbg/A7lZl7d9P+dcWhuXuKmTUA74yzhWCms0ASn8PmoYU9bqB99HxmEugOgfF oH/UH5HFoylAjLfMLaSQQML6CYpU0EYJCGIZVXIWUlwbvane7Q1k25a9WJVTp4CIcTvq oHu/TL77NNqXszzIg604TGu1JfHaCPpfFmZ4XQqJqhkDHfBkxvnYKhx4WENUL7tRTrV3 VhgQ== X-Gm-Message-State: APjAAAWtoVjybjiq8ADL66h6clmA+A7EqoyeqmmgdVMQM6Qn+wv6Ssxh B2d0iuaULxImOdOiD6oFDa4= X-Received: by 2002:a17:902:b944:: with SMTP id h4mr30236136pls.179.1562120101420; Tue, 02 Jul 2019 19:15:01 -0700 (PDT) Received: from debian.net.fpt ([2405:4800:58f7:1cb1:98e0:87d3:2c8b:b6ed]) by smtp.gmail.com with ESMTPSA id h2sm382955pgs.17.2019.07.02.19.14.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Jul 2019 19:15:00 -0700 (PDT) From: Phong Tran To: tranmanphong@gmail.com Cc: andreyknvl@google.com, gregkh@linuxfoundation.org, hans.verkuil@cisco.com, keescook@chromium.org, linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linux-usb@vger.kernel.org, mchehab@kernel.org, skhan@linuxfoundation.org, syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com, glider@google.com Subject: [PATCH V2] media: usb: technisat-usb2: fix buffer overflow Date: Wed, 3 Jul 2019 09:14:44 +0700 Message-Id: <20190703021444.19954-1-tranmanphong@gmail.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190702140211.28399-1-tranmanphong@gmail.com> References: <20190702140211.28399-1-tranmanphong@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The buffer will be overflow in case of the while loop can not break. Add the checking buffer condition in while loop for avoiding overlooping index. This issue was reported by syzbot Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com Tested-by: https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/t3PvVheSAAAJ Signed-off-by: Phong Tran --- Change Log: * V2: add IR_MAX_BUFFER_INDEX and adjust the while loop condition as comments --- drivers/media/usb/dvb-usb/technisat-usb2.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c index c659e18b358b..cdabff97c1ea 100644 --- a/drivers/media/usb/dvb-usb/technisat-usb2.c +++ b/drivers/media/usb/dvb-usb/technisat-usb2.c @@ -49,6 +49,7 @@ MODULE_PARM_DESC(disable_led_control, "disable LED control of the device (default: 0 - LED control is active)."); /* device private data */ +#define IR_MAX_BUFFER_INDEX 63 struct technisat_usb2_state { struct dvb_usb_device *dev; struct delayed_work green_led_work; @@ -56,7 +57,7 @@ struct technisat_usb2_state { u16 last_scan_code; - u8 buf[64]; + u8 buf[IR_MAX_BUFFER_INDEX + 1]; }; /* debug print helpers */ @@ -655,7 +656,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d) #endif ev.pulse = 0; - while (1) { + while (b <= (buf + IR_MAX_BUFFER_INDEX)) { ev.pulse = !ev.pulse; ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000; ir_raw_event_store(d->rc_dev, &ev); -- 2.11.0