From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9FE59C5B57D for ; Tue, 2 Jul 2019 04:45:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6CBC7208C4 for ; Tue, 2 Jul 2019 04:45:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562042714; bh=lunJ5ArWLZ84yTtueXiUgem+AurRPkxM5hPG6eVwWvk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=cpwIaLNPbKcH8ZldfyVmAg9WaPmJL201UP/0SxeUKbGMYw43pVAzeEyu/Vp3OF3gR Sh1O4z79mlsLvQkp+yZ/pXI+S+wdvbbr/oygO+V0N8b1DcI3/RUbv8JAlF7LxB1HZQ ci+65eJFIQ5JQReS3bsM9g8LBq6B5qErTWykLuF0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725780AbfGBEpN (ORCPT ); Tue, 2 Jul 2019 00:45:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:49468 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725648AbfGBEpN (ORCPT ); Tue, 2 Jul 2019 00:45:13 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1C37C208C4; Tue, 2 Jul 2019 04:45:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562042712; bh=lunJ5ArWLZ84yTtueXiUgem+AurRPkxM5hPG6eVwWvk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=qBv31N9aHe3jPJ/SugXen2HmP70soq24SBrAE+gAXjmsRXIsLBMigwndtFWCgvb4h ZiGqxBOCdKGrmX0a87f1eoc5dJ6l3l0vm8uxyHxC+N24hvWrvZtH97rsFHTILzmGLp U06V1Qo2K+bA+JOWCegq1QFJx5Ln3SubjWnZqr98= Date: Tue, 2 Jul 2019 06:45:10 +0200 From: Greg KH To: Phong Tran Cc: mchehab@kernel.org, hans.verkuil@cisco.com, keescook@chromium.org, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, linux-media@vger.kernel.org Subject: Re: [Linux-kernel-mentees] Analyze syzbot report technisat_usb2_rc_query KASAN Message-ID: <20190702044510.GA1045@kroah.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org On Tue, Jul 02, 2019 at 07:49:26AM +0700, Phong Tran wrote: > Hello, > > I did a checking for this report of syzbot [1] > From the call stack of dump log: > > There shows that a problem within technisat_usb2_get_ir() > > BUG: KASAN: slab-out-of-bounds in technisat_usb2_get_ir > drivers/media/usb/dvb-usb/technisat-usb2.c:664 [inline] > BUG: KASAN: slab-out-of-bounds in technisat_usb2_rc_query+0x5fa/0x660 > drivers/media/usb/dvb-usb/technisat-usb2.c:679 > Read of size 1 at addr ffff8880a8791ea8 by task kworker/0:1/12 > > Take a look into while loop in technisat_usb2_get_ir(). > I recognized that a problem. The loop will not break out with the condition > doesn't reach. Then "b++" will go wrong and buffer will be overflow. > > while (1) { > [...] > b++; > if (*b == 0xff) { > ev.pulse = 0; > ev.duration = 888888*2; > ir_raw_event_store(d->rc_dev, &ev); > break; > } > } > > I would propose changing the loop condition by checking the address of the > buffer. If acceptable, I will send this patch to the mailing-list. > eg: > > - while (1) { > + while (b != (buf + 63)) { > [...] > } > > Tested with syzbot, result is good [2]. > > [1] https://syzkaller.appspot.com/bug?extid=eaaaf38a95427be88f4b > [2] https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ Great, can you submit a patch for this? thanks, greg k-h