[syzbot] [media?] BUG: corrupted list in az6007_i2c_xfer

[syzbot] [media?] BUG: corrupted list in az6007_i2c_xfer

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ac71fabf1567 gcc-15: work around sequence-point warning
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10b4cc70580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7a7c679f880028f0
dashboard link: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16fedb98580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10edf4cc580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d368be8878a6/disk-ac71fabf.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cc783efdaf4c/vmlinux-ac71fabf.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d04c29c82c67/bzImage-ac71fabf.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com

usb read operation failed. (-71)
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30
index 4096 is out of range for type 'unsigned char [4096]'
CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x11c/0x160 lib/ubsan.c:453
 az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821
 __i2c_transfer+0x6b3/0x2190 drivers/i2c/i2c-core-base.c:2259
 i2c_transfer drivers/i2c/i2c-core-base.c:2315 [inline]
 i2c_transfer+0x1da/0x380 drivers/i2c/i2c-core-base.c:2291
 i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343
 i2c_master_recv include/linux/i2c.h:79 [inline]
 i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155
 do_loop_readv_writev fs/read_write.c:845 [inline]
 do_loop_readv_writev fs/read_write.c:833 [inline]
 vfs_readv+0x6bc/0x8a0 fs/read_write.c:1018
 do_preadv+0x1af/0x270 fs/read_write.c:1130
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4d458f3929
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe002f51e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007ffe002f5230 RCX: 00007f4d458f3929
RDX: 0000000000000001 RSI: 00002000000025c0 RDI: 0000000000000004
RBP: 0000000000000000 R08: 000000000000007e R09: 00007ffe002f5230
R10: 0000000000000002 R11: 0000000000000246 R12: 00000000000f4240
R13: 00007ffe002f54b8 R14: 00007ffe002f521c R15: 00007ffe002f5220
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syz test

[Arnaud Lecomte]

#syz test
diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..784cba9c15ef 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -751,6 +751,9 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 	int length;
 	u8 req, addr;
 
+	if (!usb_trylock_device(d->udev))
+		return -EBUSY;
+
 	if (mutex_lock_interruptible(&st->mutex) < 0) {
+		usb_unlock_device(d->udev);
 		return -EAGAIN;
 	}
 
@@ -757,6 +760,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 
 	for (i = 0; i < num; i++) {
 		addr = msgs[i].addr << 1;
+		if (msgs[i].len < 1 || msgs[i].len >= sizeof(st->data) - 6) {
+			ret = -EIO;
+			goto err;
+		}
 		if (((i + 1) < num)
 		    && (msgs[i].len == 1)
 		    && ((msgs[i].flags & I2C_M_RD) != I2C_M_RD)
@@ -821,6 +828,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 	}
 err:
 	mutex_unlock(&st->mutex);
+	usb_unlock_device(d->udev);
 	if (ret < 0) {
 		pr_info("%s ERROR: %i\n", __func__, ret);
 		return ret;

Re: [syzbot] [media?] BUG: corrupted list in az6007_i2c_xfer

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file drivers/media/usb/dvb-usb-v2/az6007.c
patch: **** malformed patch at line 15:  	}




Tested on:

commit:         9d7a0577 gcc-15: disable '-Wunterminated-string-initia..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=7a7c679f880028f0
dashboard link: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16719ccc580000

syz test

[Arnaud Lecomte]

#syz test
diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..784cba9c15ef 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -752,11 +752,18 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
        int length;
        u8 req, addr;

+       if(!usb_trylock_device(d->udev))
+               return -EBUSY;
+
        if (mutex_lock_interruptible(&st->mutex) < 0)
                return -EAGAIN;

        for (i = 0; i < num; i++) {
                addr = msgs[i].addr << 1;
+               if (msgs[i].len < 1 || msgs[i].len >= sizeof(st->data) - 6) {
+                       ret = -EIO;
+                       goto err;
+               }
                if (((i + 1) < num)
                    && (msgs[i].len == 1)
                    && ((msgs[i].flags & I2C_M_RD) != I2C_M_RD)
@@ -788,10 +795,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
                        if (az6007_xfer_debug)
                                printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
                                       addr, msgs[i].len);
-                       if (msgs[i].len < 1) {
-                               ret = -EIO;
-                               goto err;
-                       }
                        req = AZ6007_I2C_WR;
                        index = msgs[i].buf[0];
                        value = addr | (1 << 8);
@@ -806,10 +809,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
                        if (az6007_xfer_debug)
                                printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
                                       addr, msgs[i].len);
-                       if (msgs[i].len < 1) {
-                               ret = -EIO;
-                               goto err;
-                       }
                        req = AZ6007_I2C_RD;
                        index = msgs[i].buf[0];
                        value = addr;
@@ -825,7 +824,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
        }
 err:
        mutex_unlock(&st->mutex);
-
+       usb_unlock_device(d->udev);
        if (ret < 0) {
                pr_info("%s ERROR: %i\n", __func__, ret);
                return ret;

syz test

[Arnaud Lecomte]

#syz test

--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -752,11 +752,18 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
        int length;
        u8 req, addr;
 
+       if(!usb_trylock_device(d->udev))
+               return -EBUSY;
+
        if (mutex_lock_interruptible(&st->mutex) < 0)
                return -EAGAIN;
 
        for (i = 0; i < num; i++) {
                addr = msgs[i].addr << 1;
+               if (msgs[i].len < 1 || msgs[i].len >= sizeof(st->data) - 6) {
+                       ret = -EIO;
+                       goto err;
+               }
                if (((i + 1) < num)
                    && (msgs[i].len == 1)
                    && ((msgs[i].flags & I2C_M_RD) != I2C_M_RD)
@@ -788,10 +795,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
                        if (az6007_xfer_debug)
                                printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
                                       addr, msgs[i].len);
-                       if (msgs[i].len < 1) {
-                               ret = -EIO;
-                               goto err;
-                       }
                        req = AZ6007_I2C_WR;
                        index = msgs[i].buf[0];
                        value = addr | (1 << 8);
@@ -806,10 +809,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
                        if (az6007_xfer_debug)
                                printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
                                       addr, msgs[i].len);
-                       if (msgs[i].len < 1) {
-                               ret = -EIO;
-                               goto err;
-                       }
                        req = AZ6007_I2C_RD;
                        index = msgs[i].buf[0];
                        value = addr;
@@ -825,7 +824,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
        }
 err:
        mutex_unlock(&st->mutex);
-
+       usb_unlock_device(d->udev);
        if (ret < 0) {
                pr_info("%s ERROR: %i\n", __func__, ret);
                return ret;
--

[PATCH] media: az6007: Add upper bound check to the data of device state

[Edward Adam Davis]

syzbot report a corrupted list in az6007_i2c_xfer. [1]

Before accessing the member data of the struct az6007_device_state, only
the lower boundary of data is checked, but the upper boundary is not checked.
When the value of msgs[i].len is damaged or too large, it will cause out
of bounds access to st->data.

[1]
UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30
index 4096 is out of range for type 'unsigned char [4096]'
CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full)
Call Trace:
 <TASK>
 az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821
 i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343
 i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155
 do_loop_readv_writev fs/read_write.c:833 [inline]
 do_preadv+0x1af/0x270 fs/read_write.c:1130
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94

Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..6322894eda27 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -806,7 +806,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 			if (az6007_xfer_debug)
 				printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
 				       addr, msgs[i].len);
-			if (msgs[i].len < 1) {
+			if (msgs[i].len < 1 ||
+			    msgs[i].len > ARRAY_SIZE(st->data) - 5) {
 				ret = -EIO;
 				goto err;
 			}
-- 
2.43.0

Re: [syzbot] [media?] BUG: corrupted list in az6007_i2c_xfer

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file drivers/media/usb/dvb-usb-v2/az6007.c
patch: **** unexpected end of file in patch



Tested on:

commit:         9d7a0577 gcc-15: disable '-Wunterminated-string-initia..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=7a7c679f880028f0
dashboard link: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=124fcc70580000

Re: [PATCH] media: az6007: Add upper bound check to the data of device state

[Arnaud Lecomte]

Hi Edward,
As I am currently trying over there: 
https://syzkaller.appspot.com/text?tag=Patch&x=10f3ac70580000, I think 
we also have a race condition related to the disconnection of the usb 
device.
What do you think ?

Arnaud

On 21/04/2025 16:31, Edward Adam Davis wrote:
> syzbot report a corrupted list in az6007_i2c_xfer. [1]
>
> Before accessing the member data of the struct az6007_device_state, only
> the lower boundary of data is checked, but the upper boundary is not checked.
> When the value of msgs[i].len is damaged or too large, it will cause out
> of bounds access to st->data.
>
> [1]
> UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30
> index 4096 is out of range for type 'unsigned char [4096]'
> CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full)
> Call Trace:
>   <TASK>
>   az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821
>   i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343
>   i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155
>   do_loop_readv_writev fs/read_write.c:833 [inline]
>   do_preadv+0x1af/0x270 fs/read_write.c:1130
>   do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
>
> Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>   drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
> index 65ef045b74ca..6322894eda27 100644
> --- a/drivers/media/usb/dvb-usb-v2/az6007.c
> +++ b/drivers/media/usb/dvb-usb-v2/az6007.c
> @@ -806,7 +806,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
>   			if (az6007_xfer_debug)
>   				printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
>   				       addr, msgs[i].len);
> -			if (msgs[i].len < 1) {
> +			if (msgs[i].len < 1 ||
> +			    msgs[i].len > ARRAY_SIZE(st->data) - 5) {
>   				ret = -EIO;
>   				goto err;
>   			}

Re: [syzbot] [media?] BUG: corrupted list in az6007_i2c_xfer

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com
Tested-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com

Tested on:

commit:         9d7a0577 gcc-15: disable '-Wunterminated-string-initia..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14604fcf980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=efa83f9a6dd67d67
dashboard link: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10f3ac70580000

Note: testing is done by a robot and is best-effort only.

Re: [PATCH] media: az6007: Add upper bound check to the data of device state

[Hans Verkuil]

On 21/04/2025 16:31, Edward Adam Davis wrote:
> syzbot report a corrupted list in az6007_i2c_xfer. [1]
> 
> Before accessing the member data of the struct az6007_device_state, only
> the lower boundary of data is checked, but the upper boundary is not checked.
> When the value of msgs[i].len is damaged or too large, it will cause out
> of bounds access to st->data.
> 
> [1]
> UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30
> index 4096 is out of range for type 'unsigned char [4096]'
> CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full)
> Call Trace:
>  <TASK>
>  az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821
>  i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343
>  i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155
>  do_loop_readv_writev fs/read_write.c:833 [inline]
>  do_preadv+0x1af/0x270 fs/read_write.c:1130
>  do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
> 
> Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
> index 65ef045b74ca..6322894eda27 100644
> --- a/drivers/media/usb/dvb-usb-v2/az6007.c
> +++ b/drivers/media/usb/dvb-usb-v2/az6007.c
> @@ -806,7 +806,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
>  			if (az6007_xfer_debug)
>  				printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
>  				       addr, msgs[i].len);
> -			if (msgs[i].len < 1) {
> +			if (msgs[i].len < 1 ||
> +			    msgs[i].len > ARRAY_SIZE(st->data) - 5) {

Hmm, shouldn't this be '- 6'? Since a few lines below this the length passed
to __az6007_read is msgs[i].len + 6.

Regards,

	Hans

>  				ret = -EIO;
>  				goto err;
>  			}