From: pip-izony <eeodqql09@gmail.com>
To: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Seungjin Bae <eeodqql09@gmail.com>,
Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
Sanghoon Choi <csh0052@gmail.com>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v4] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame()
Date: Tue, 30 Dec 2025 14:50:42 -0500 [thread overview]
Message-ID: <20251230195041.36768-2-eeodqql09@gmail.com> (raw)
In-Reply-To: <20251223010121.1142862-2-eeodqql09@gmail.com>
From: Seungjin Bae <eeodqql09@gmail.com>
The `ttusb_dec_process_urb_frame()` parses the PVA packet from the
USB device. However, it doesn't check whether the calculated
`packet_payload_length` exceeds the size of the `packet` buffer.
The `packet` buffer has a fixed size of `MAX_PVA_LENGTH + 4`. However,
`packet_payload_length` is derived from 2 bytes of the input data,
allowing a maximum value of 65543 bytes (8 + 0xFFFF).
If a malicious USB device sends a packet with crafted data, it
triggers a heap buffer overflow. This allows an attacker to overwrite
adjacent fields in the `struct ttusb_dec`. Specifically, the `a_pes2ts`
field, which contains a callback function pointer, is located after the
`packet` buffer. Overwriting this pointer can lead to control flow
hijacking.
Fix this by adding a bounds check for the parsed length against the
buffer size.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Co-developed-by: Sanghoon Choi <csh0052@gmail.com>
Signed-off-by: Sanghoon Choi <csh0052@gmail.com>
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
v1 -> v2: Change warning function
v2 -> v3: Add missing comma in the dev_warn argument
v3 -> v4: Edit alignment
drivers/media/usb/ttusb-dec/ttusb_dec.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c
index b4575fe89c95..17c7a8d5ada9 100644
--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
+++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
@@ -703,10 +703,19 @@ static void ttusb_dec_process_urb_frame(struct ttusb_dec *dec, u8 *b,
if (dec->packet_type == TTUSB_DEC_PACKET_PVA &&
dec->packet_length == 8) {
- dec->packet_state++;
- dec->packet_payload_length = 8 +
+ int len = 8 +
(dec->packet[6] << 8) +
dec->packet[7];
+
+ if (len > MAX_PVA_LENGTH + 4) {
+ dev_warn(&dec->udev->dev,
+ "%s: packet too long - discarding\n",
+ __func__);
+ dec->packet_state = 0;
+ } else {
+ dec->packet_state++;
+ dec->packet_payload_length = len;
+ }
} else if (dec->packet_type ==
TTUSB_DEC_PACKET_SECTION &&
dec->packet_length == 5) {
--
2.43.0
next prev parent reply other threads:[~2025-12-30 19:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-22 0:20 [PATCH] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame() pip-izony
2025-12-22 5:46 ` [PATCH v2] " pip-izony
2025-12-23 0:31 ` kernel test robot
2025-12-23 1:01 ` [PATCH v3] " pip-izony
2025-12-30 19:50 ` pip-izony [this message]
2025-12-23 1:17 ` [PATCH v2] " kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251230195041.36768-2-eeodqql09@gmail.com \
--to=eeodqql09@gmail.com \
--cc=Kyungtae.Kim@dartmouth.edu \
--cc=csh0052@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.