From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38EC3C4332F for ; Sun, 12 Nov 2023 13:28:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232125AbjKLN2z (ORCPT ); Sun, 12 Nov 2023 08:28:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44718 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231828AbjKLN2b (ORCPT ); Sun, 12 Nov 2023 08:28:31 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 770F7273F; Sun, 12 Nov 2023 05:27:48 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1D677C433CD; Sun, 12 Nov 2023 13:27:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1699795668; bh=v44BZYdol2owoedeipdPdbO7R11otCqacwrAXfHO6gc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kXqk7J18SjNLxD6AB5AWxhIc0Ldf6Iyreo7vnE9g5nCT42IfHCfyF3S4ymUzZwziN 4Vjez+JCrTxSCy5H1TXSEA05ZPmxY71YDjq+7AsUEuAOyZWl9apDqzWaIznvNw6MIw pSnTyISW434g0aaI3Zz2HKOoN0xjb/qYhsj5V1/jQ/TmAX6YuP99rTAZGBP6fl3st1 odHCdSG1idMUgNvDUQZkFsDgwZDuaydrwi7MtJIcqglUVDw/JpDh+y5scb9jRHruDy 3jyiezDz1COzSI6RQdSkdoQV0MLwhD17Kgt+JW0BeWLP1tCtGjcSEhe5oGgIoj7r1D 85vk6SQ8BMKHQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Takashi Iwai , syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com, "Ricardo B . Marliere" , Sean Young , Hans Verkuil , Sasha Levin , gautammenghani201@gmail.com, linux-media@vger.kernel.org Subject: [PATCH AUTOSEL 6.6 08/11] media: imon: fix access to invalid resource for the second interface Date: Sun, 12 Nov 2023 08:27:31 -0500 Message-ID: <20231112132736.175494-8-sashal@kernel.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231112132736.175494-1-sashal@kernel.org> References: <20231112132736.175494-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.6.1 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai [ Upstream commit a1766a4fd83befa0b34d932d532e7ebb7fab1fa7 ] imon driver probes two USB interfaces, and at the probe of the second interface, the driver assumes blindly that the first interface got bound with the same imon driver. It's usually true, but it's still possible that the first interface is bound with another driver via a malformed descriptor. Then it may lead to a memory corruption, as spotted by syzkaller; imon driver accesses the data from drvdata as struct imon_context object although it's a completely different one that was assigned by another driver. This patch adds a sanity check -- whether the first interface is really bound with the imon driver or not -- for avoiding the problem above at the probe time. Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.com/ Tested-by: Ricardo B. Marliere Link: https://lore.kernel.org/r/20230922005152.163640-1-ricardo@marliere.net Signed-off-by: Takashi Iwai Signed-off-by: Sean Young Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin --- drivers/media/rc/imon.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c index 74546f7e34691..5719dda6e0f0e 100644 --- a/drivers/media/rc/imon.c +++ b/drivers/media/rc/imon.c @@ -2427,6 +2427,12 @@ static int imon_probe(struct usb_interface *interface, goto fail; } + if (first_if->dev.driver != interface->dev.driver) { + dev_err(&interface->dev, "inconsistent driver matching\n"); + ret = -EINVAL; + goto fail; + } + if (ifnum == 0) { ictx = imon_init_intf0(interface, id); if (!ictx) { -- 2.42.0