From: pip-izony <eeodqql09@gmail.com>
To: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Seungjin Bae <eeodqql09@gmail.com>,
Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
Sanghoon Choi <csh0052@gmail.com>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame()
Date: Mon, 22 Dec 2025 00:46:45 -0500 [thread overview]
Message-ID: <20251222054644.938208-2-eeodqql09@gmail.com> (raw)
In-Reply-To: <20251222002019.882867-2-eeodqql09@gmail.com>
From: Seungjin Bae <eeodqql09@gmail.com>
The `ttusb_dec_process_urb_frame()` parses the PVA packet from the
USB device. However, it doesn't check whether the calculated
`packet_payload_length` exceeds the size of the `packet` buffer.
The `packet` buffer has a fixed size of `MAX_PVA_LENGTH + 4`. However,
`packet_payload_length` is derived from 2 bytes of the input data,
allowing a maximum value of 65543 bytes (8 + 0xFFFF).
If a malicious USB device sends a packet with crafted data, it
triggers a heap buffer overflow. This allows an attacker to overwrite
adjacent fields in the `struct ttusb_dec`. Specifically, the `a_pes2ts`
field, which contains a callback function pointer, is located after the
`packet` buffer. Overwriting this pointer can lead to control flow
hijacking.
Fix this by adding a bounds check for the parsed length against the
buffer size.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Co-developed-by: Sanghoon Choi <csh0052@gmail.com>
Signed-off-by: Sanghoon Choi <csh0052@gmail.com>
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
v1 -> v2: Change warning function
drivers/media/usb/ttusb-dec/ttusb_dec.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c
index b4575fe89c95..0e983783e787 100644
--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
+++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
@@ -703,10 +703,19 @@ static void ttusb_dec_process_urb_frame(struct ttusb_dec *dec, u8 *b,
if (dec->packet_type == TTUSB_DEC_PACKET_PVA &&
dec->packet_length == 8) {
- dec->packet_state++;
- dec->packet_payload_length = 8 +
+ int len = 8 +
(dec->packet[6] << 8) +
dec->packet[7];
+
+ if (len > MAX_PVA_LENGTH + 4) {
+ dev_warn(&dec->udev->dev,
+ "%s: packet too long - discarding\n"
+ __func__);
+ dec->packet_state = 0;
+ } else {
+ dec->packet_state++;
+ dec->packet_payload_length = len;
+ }
} else if (dec->packet_type ==
TTUSB_DEC_PACKET_SECTION &&
dec->packet_length == 5) {
--
2.43.0
next prev parent reply other threads:[~2025-12-22 5:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-22 0:20 [PATCH] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame() pip-izony
2025-12-22 5:46 ` pip-izony [this message]
2025-12-23 0:31 ` [PATCH v2] " kernel test robot
2025-12-23 1:01 ` [PATCH v3] " pip-izony
2025-12-30 19:50 ` [PATCH v4] " pip-izony
2025-12-23 1:17 ` [PATCH v2] " kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251222054644.938208-2-eeodqql09@gmail.com \
--to=eeodqql09@gmail.com \
--cc=Kyungtae.Kim@dartmouth.edu \
--cc=csh0052@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox