From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7470430FA4 for ; Wed, 20 Sep 2023 12:19:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F1AE2C433CA; Wed, 20 Sep 2023 12:19:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1695212391; bh=3zaeCMRKIDtBHcXKz7Quf6uzsYun4oKH+AKt/eHyQ9k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TRd5g7K1SF5dJONJ8NGQB9Tt7Ke2fqF6tO0FguF+fobBS+EfnVGI7DPV5M7IvyVG7 SFVZHEs19VhtANouwKuBS5ZmNowoZjugm8ys1ms9n7nBfO+9IggWC+2+29LmD2UiW1 DrnE2QMe2vFtMZ+EmwwQA6wxpS5bOUe6SXhLO7/0= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Zhang Shurong , Hans Verkuil , Sasha Levin Subject: [PATCH 4.19 258/273] media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() Date: Wed, 20 Sep 2023 13:31:38 +0200 Message-ID: <20230920112854.243422878@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230920112846.440597133@linuxfoundation.org> References: <20230920112846.440597133@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Zhang Shurong [ Upstream commit 1047f9343011f2cedc73c64829686206a7e9fc3f ] In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach az6007_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin --- drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c index 8e914be5b7c5e..2f40eb6bdbb83 100644 --- a/drivers/media/usb/dvb-usb-v2/az6007.c +++ b/drivers/media/usb/dvb-usb-v2/az6007.c @@ -796,6 +796,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n", addr, msgs[i].len); + if (msgs[i].len < 1) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_WR; index = msgs[i].buf[0]; value = addr | (1 << 8); @@ -810,6 +814,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n", addr, msgs[i].len); + if (msgs[i].len < 1) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_RD; index = msgs[i].buf[0]; value = addr; -- 2.40.1