Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp33024944rwd; Sat, 8 Jul 2023 03:52:34 -0700 (PDT) X-Google-Smtp-Source: APBJJlGu8EbPmxSSI4iDcAuBccUrN7ZNz4tExvoNA+rMhIpm6b74T3tO5o+X0pXxkN4ePol23yCK X-Received: by 2002:a17:90a:a182:b0:263:6e10:7cdd with SMTP id t2-20020a17090aa18200b002636e107cddmr7283810pjp.38.1688813553701; Sat, 08 Jul 2023 03:52:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688813553; cv=none; d=google.com; s=arc-20160816; b=UBilysomnIx8ozySMRz6o2/tbMD2krFU7XVia1FSHXYVTtLjed/tGzhZFdxiuvmQAW OvxgGCGuvXqFUKS1aXoe/goYclq+MUNHRFhxES+2ST+sfuO8T5zSCbqYKqyF+i6nU/vx gSfSMqHScpS6fro6i5jlyAZFd4T1uwzC1ZczpHH2M+hof8HuUAY3w7jeNMNTiDwom3Jr Aul/FwZlH+db6W9WGApwEgRvbI5jJAISFJ0VM5kgTxe5iSAn5Dqz0S9KPCGP8Cs/I08L PoV9+cgWHTYPOpBuJdLVSCrabVuRaQOu/b937rPgKPISo4sYFL77MANxUK+HjHVbUX2j v7JA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version:date :subject:cc:to:from:message-id:dkim-signature; bh=nVLtRRwwceh9fQVqJz+TakQQmvjBJzFSWM3aixOvYTk=; fh=fxm6UI2DsGdVIW7WENhds+WDcOOWTAXv3p8FHG4fI4M=; b=P7pPvCPRHpiU5yEgJYG0Szpf1oEAIpo0r5su7syxO0Ghd/C/5IwLPDWpXDPN4U8kPu Lx4vMCtKb1CXMAKzivFtyVIFw1ff46Sm+2h0wgbwW/YOJ17FcbvJ2ja2OypSGG5G8A2M ODhmr6wAowwABcjNm0sa/NQs/xnYle3b7rjAP+Acp4HmkA4BgSKWqK2dLrmrsFhy1V8l pk0Rj9i4N6w0eOB2l1blEQJNxVgvTmCRop8sQHfKl2Iq47X5lcrIGb26QKwLl2E8GTCE NL7CC8AACamBzB7KkgGmOifIC9ZWDXBtqrSR5jUPKOWO5WOQm1Gph7WitdQThDRVqqBW QZiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@foxmail.com header.s=s201512 header.b="S+i/ANwo"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e11-20020a17090a728b00b0025bea0a396asi3923142pjg.6.2023.07.08.03.52.22; Sat, 08 Jul 2023 03:52:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@foxmail.com header.s=s201512 header.b="S+i/ANwo"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foxmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229713AbjGHJit (ORCPT + 99 others); Sat, 8 Jul 2023 05:38:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49328 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229582AbjGHJir (ORCPT ); Sat, 8 Jul 2023 05:38:47 -0400 Received: from out162-62-57-49.mail.qq.com (out162-62-57-49.mail.qq.com [162.62.57.49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C8BBA191; Sat, 8 Jul 2023 02:38:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com; s=s201512; t=1688809121; bh=nVLtRRwwceh9fQVqJz+TakQQmvjBJzFSWM3aixOvYTk=; h=From:To:Cc:Subject:Date; b=S+i/ANwoT4jg/ciIhUsYfyjrd3Ub5toXBjQcGqzdU7P+7ncyiDmpHN55ZJcQNp4Cf mIEHNw6msGS1cyjG/4IufleJrrT1x5wCzhqRylkSvohTJScWV7420OswBLas8pE8Oa k3RXBYKm5d5sdz4kTCdc0RhTOzutCR1+tUSRykHE= Received: from KernelDevBox.byted.org ([180.184.103.200]) by newxmesmtplogicsvrszb6-0.qq.com (NewEsmtp) with SMTP id 77AA503A; Sat, 08 Jul 2023 17:29:58 +0800 X-QQ-mid: xmsmtpt1688808598tnbevog7l Message-ID: X-QQ-XMAILINFO: NMmJpeSXIGQNlLllWTDWR6ktexkU6Mk4jyf+NPChqp8ijXM2pwsZEQq4jAlfFQ EBriLnLf9C0als78nFj6r3ofJzbc4CvZ+4Jp6jd3ZhU0tCjyPYtG+C/+kVWdOTKhdZKRvVF8o0Bc V6UCdaQlr7usVxhucKINM3q5Xc23v57N6xewsBKq+8InWvMeohRKB6uA0MPxXLBKWSghiTRih0z8 aeAxxDV60UY1ripNsFqKWrm0IBnELqw5GsEH6nHBHBfgCsxjNapBM+bm/HwFu+3lJt/qyFs7dsk+ T8vKgFA+z4dqOqwW/vZCX3Ja6KYSJswBm/o2bXDRbXUI+Mgb4W5a/gORBCxoSpP4KLxFdm3oIq5E vmg3Xo1dn2bjbIU3LqR2biuhQrnS2xeq1i6PWGQnRq4/5Xe3Eiuxe71UbnYbsd9Xk53qWpHmvm1i yZ67YC7XA56ddkKbTQvMHJnPBHo4ymNwboQ7+FP3maIqDmbmdqtzea3BVX6IK7XcOQaD7H38U1KO fmBw40wMFKNo81taefi7SiTqIjrXxq2bl8u+On4nqVMQR35JbIBII3OEjMItMLW8eCPvFDm9saK0 1o86EFx3vD9sX79mLcKUgsNdWRjsdkWqFE4Rq0iZYxBpJzFlpyLaq5GFDwQz6geX5VDA99QLtCs7 0WTsOkiIiygzLQhb+PQ0Gh+rPs1POCTnoaRsAVHn3PTO1cBT2pRgNzYgbXUzkdyWnj03JUd8GbdK n24QqB2A9qPk4jm8EIF4J0VkgiKNmu8v5UAR94FwVJrllxi4NJcBrhoSOTv4PVhbeYhJOl9GR2AV OdxHe+bucbywzV4A40WYkAPEdBpf3iiMBSxlmGkUwziTUyDpnkbovFl669kfAcPwM9GRuOCaPX1B /8RP8Af9Z3EkgDGw9Ge1W5u0mMDOgEeJqRmiRrrb+/xMpBEBpGWvv65FdqPyNOgy/jwh4voxxvrM A0thGkrRlxuEPUq5DTOhSwMeSBCnADCXfwKh2AtKAYQMrDbUq29g== X-QQ-XMRINFO: NS+P29fieYNw95Bth2bWPxk= From: Zhang Shurong To: crope@iki.fi Cc: mchehab@kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Zhang Shurong Subject: [PATCH] media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer Date: Sat, 8 Jul 2023 17:29:57 +0800 X-OQ-MSGID: <20230708092957.3163837-1-zhang_shurong@foxmail.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, HELO_DYNAMIC_IPADDR,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach gl861_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong --- drivers/media/usb/dvb-usb-v2/gl861.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/dvb-usb-v2/gl861.c b/drivers/media/usb/dvb-usb-v2/gl861.c index 0c434259c36f..a552b646d407 100644 --- a/drivers/media/usb/dvb-usb-v2/gl861.c +++ b/drivers/media/usb/dvb-usb-v2/gl861.c @@ -97,7 +97,7 @@ static int gl861_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], /* XXX: I2C adapter maximum data lengths are not tested */ if (num == 1 && !(msg[0].flags & I2C_M_RD)) { /* I2C write */ - if (msg[0].len < 2 || msg[0].len > sizeof(ctx->buf)) { + if (msg[0].len == 0 || msg[0].len > sizeof(ctx->buf)) { ret = -EOPNOTSUPP; goto err; } @@ -120,7 +120,7 @@ static int gl861_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], } else if (num == 2 && !(msg[0].flags & I2C_M_RD) && (msg[1].flags & I2C_M_RD)) { /* I2C write + read */ - if (msg[0].len > 1 || msg[1].len > sizeof(ctx->buf)) { + if (msg[0].len != 1 || msg[1].len > sizeof(ctx->buf)) { ret = -EOPNOTSUPP; goto err; } -- 2.30.2