Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp3031277rdb; Fri, 22 Sep 2023 16:16:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH0mgDlM1opI9CHtWxJYTmx2AslBy0AYutWIPnyzIUy+jELZOCb7/74oj0h7UTjQrChCexu X-Received: by 2002:a05:6a20:d430:b0:12f:dc31:a71e with SMTP id il48-20020a056a20d43000b0012fdc31a71emr871065pzb.56.1695424580583; Fri, 22 Sep 2023 16:16:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695424580; cv=none; d=google.com; s=arc-20160816; b=qh66qi+Oaw0ZwgJZGbJN6/KV9Kplr6EP42R7QEYhHi3vrbh3HMe8siHS1SrLsZJYlm te7xuOqxlKBtlU7qUUvPmdTzLlQH/vFvtbpJSYtNi0Cijz5YnCO9+hh4Ga+D8LOxR2qr mtdpcJOYk+9ZtuD9HRb9gOLSEvS6kHzIBP/nu3nxQACpN1YezEtM9huwMN41+q0l8LLg 3CMqhNRdcZCQIk42M46bN19BBOlQe0wBCVBVKFl3UbK3NR0fgOXfYxGp52VBYdiy3NBm Fzj8W++jULIcBaHa/vJq2hID1yD5B5gHdmyfmFGPpQetKO6naTD+jMWUYan0z+d35hAv vtqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature; bh=HmnTB2uEgKxCayfWbdMyfcqdfLvJ0elT6dc12gIbdRg=; fh=DZ/FkqWph30cNJHGubFdyyEuXD3gcNVfR9uEYI+3SSA=; b=MHfm2kv54nBURJ7UZGsGLNz18G6+2VUDbIISrBL0v2CNTFlvxnoTNt7P2Bi5kotesP gZgh00a2ALODvtyqSqEEclLWDI25pTjLDKGSBRLNRwdPh5ZN9JuGQHNZojFJyeUNu52z 2IhKqN0VmCDLODdUW8DjyPQ0RHbBf8bsEgpfXAGt2lgI0fy1Lv8x9xPNEDuUkke7xdS5 Kt/93B8f4RhaWLkXLmIS2DL2j38kMaLxkVMAWL5hVK5frXghz2YEB+gZn6cJC44TCzmd jCmgiyL2qfYHpEOowQyaKA2EsOCozaRRRxruIBbVCuAJygp6OETxo6sJ7Vi3sTUCBo46 pIOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=cpFzbIAL; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id t12-20020a17090aba8c00b00273fd5cbf0bsi4686278pjr.69.2023.09.22.16.16.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Sep 2023 16:16:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=cpFzbIAL; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 1B6038271751; Fri, 22 Sep 2023 05:38:18 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232471AbjIVMiU (ORCPT + 99 others); Fri, 22 Sep 2023 08:38:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43722 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229541AbjIVMiT (ORCPT ); Fri, 22 Sep 2023 08:38:19 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E4FBC8F; Fri, 22 Sep 2023 05:38:13 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id A367321AD9; Fri, 22 Sep 2023 12:38:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1695386292; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=HmnTB2uEgKxCayfWbdMyfcqdfLvJ0elT6dc12gIbdRg=; b=cpFzbIALsj1ODGnFfsTW5wm8fHcgMsrVufEwwQckS4ZVO8cQEvXmLoSwCdrtgejvy7SFNY tp6pWwoMsR0pqcHopeC3HIkg46s7qlF7kBstvUIrQ78cUuI9fpDC0nPu5GprIdyb2NIb1W 1u9abk6CMMq7GKlIBv9xXZ21BgVpUg0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1695386292; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=HmnTB2uEgKxCayfWbdMyfcqdfLvJ0elT6dc12gIbdRg=; b=9yJkWQCYG2FlbfLg/TaQK++ZCzgF+KIUO7D0BrWT2e3OCPJr4m55+sPG7SkvYMQvQvpKxb P63uS8vuQOwpI0Cw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 739DB13597; Fri, 22 Sep 2023 12:38:12 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id egktG7SKDWU2QwAAMHmgww (envelope-from ); Fri, 22 Sep 2023 12:38:12 +0000 From: Takashi Iwai To: Sean Young Cc: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, "Ricardo B . Marliere" Subject: [PATCH] media: imon: fix access to invalid resource for the second interface Date: Fri, 22 Sep 2023 14:38:07 +0200 Message-Id: <20230922123807.15236-1-tiwai@suse.de> X-Mailer: git-send-email 2.35.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Fri, 22 Sep 2023 05:38:18 -0700 (PDT) imon driver probes two USB interfaces, and at the probe of the second interface, the driver assumes blindly that the first interface got bound with the same imon driver. It's usually true, but it's still possible that the first interface is bound with another driver via a malformed descriptor. Then it may lead to a memory corruption, as spotted by syzkaller; imon driver accesses the data from drvdata as struct imon_context object although it's a completely different one that was assigned by another driver. This patch adds a sanity check -- whether the first interface is really bound with the imon driver or not -- for avoiding the problem above at the probe time. Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.com/ Tested-by: Ricardo B. Marliere Link: https://lore.kernel.org/r/20230922005152.163640-1-ricardo@marliere.net Signed-off-by: Takashi Iwai --- drivers/media/rc/imon.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c index 74546f7e3469..5719dda6e0f0 100644 --- a/drivers/media/rc/imon.c +++ b/drivers/media/rc/imon.c @@ -2427,6 +2427,12 @@ static int imon_probe(struct usb_interface *interface, goto fail; } + if (first_if->dev.driver != interface->dev.driver) { + dev_err(&interface->dev, "inconsistent driver matching\n"); + ret = -EINVAL; + goto fail; + } + if (ifnum == 0) { ictx = imon_init_intf0(interface, id); if (!ictx) { -- 2.35.3