[PATCH 5.4 39/99] media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Wei Chen <harperchen1110@gmail.com>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 39/99] media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
Date: Wed,  7 Jun 2023 22:16:31 +0200	[thread overview]
Message-ID: <20230607200901.478547002@linuxfoundation.org> (raw)
In-Reply-To: <20230607200900.195572674@linuxfoundation.org>

From: Wei Chen <harperchen1110@gmail.com>

[ Upstream commit 858e97d7956d17a2cb56a9413468704a4d5abfe1 ]

In az6027_i2c_xfer, msg is controlled by user. When msg[i].buf is null,
commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in
az6027_i2c_xfer()") fix the null-ptr-deref bug when msg[i].addr is 0x99.
However, null-ptr-deref also happens when msg[i].addr is 0xd0 and 0xc0.
We add check on msg[i].len to prevent null-ptr-deref.

Link: https://lore.kernel.org/linux-media/20230310165604.3093483-1-harperchen1110@gmail.com
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/dvb-usb/az6027.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c
index ffc0db67d4d68..2b56393d10008 100644
--- a/drivers/media/usb/dvb-usb/az6027.c
+++ b/drivers/media/usb/dvb-usb/az6027.c
@@ -988,6 +988,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
 			/* write/read request */
 			if (i + 1 < num && (msg[i + 1].flags & I2C_M_RD)) {
 				req = 0xB9;
+				if (msg[i].len < 1) {
+					i = -EOPNOTSUPP;
+					break;
+				}
 				index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff));
 				value = msg[i].addr + (msg[i].len << 8);
 				length = msg[i + 1].len + 6;
@@ -1001,6 +1005,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
 
 				/* demod 16bit addr */
 				req = 0xBD;
+				if (msg[i].len < 1) {
+					i = -EOPNOTSUPP;
+					break;
+				}
 				index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff));
 				value = msg[i].addr + (2 << 8);
 				length = msg[i].len - 2;
@@ -1026,6 +1034,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
 			} else {
 
 				req = 0xBD;
+				if (msg[i].len < 1) {
+					i = -EOPNOTSUPP;
+					break;
+				}
 				index = msg[i].buf[0] & 0x00FF;
 				value = msg[i].addr + (1 << 8);
 				length = msg[i].len - 1;
-- 
2.39.2

next prev parent reply	other threads:[~2023-06-07 20:54 UTC|newest]

Thread overview: 108+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-07 20:15 [PATCH 5.4 00/99] 5.4.246-rc1 review Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 01/99] RDMA/efa: Fix unsupported page sizes in device Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 02/99] RDMA/bnxt_re: Enable SRIOV VF support on Broadcoms 57500 adapter series Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 03/99] RDMA/bnxt_re: Refactor queue pair creation code Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 04/99] RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 05/99] iommu/rockchip: Fix unwind goto issue Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 06/99] iommu/amd: Dont block updates to GATag if guest mode is on Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 07/99] dmaengine: pl330: rename _start to prevent build error Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 08/99] net/mlx5: fw_tracer, Fix event handling Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 09/99] netrom: fix info-leak in nr_write_internal() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 10/99] af_packet: Fix data-races of pkt_sk(sk)->num Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 11/99] amd-xgbe: fix the false linkup in xgbe_phy_status Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 12/99] mtd: rawnand: ingenic: fix empty stub helper definitions Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 13/99] af_packet: do not use READ_ONCE() in packet_bind() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 14/99] tcp: deny tcp_disconnect() when threads are waiting Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 15/99] tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 16/99] net/sched: sch_ingress: Only create under TC_H_INGRESS Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 17/99] net/sched: sch_clsact: Only create under TC_H_CLSACT Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 18/99] net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 19/99] net/sched: Prohibit regrafting ingress or clsact Qdiscs Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 20/99] net: sched: fix NULL pointer dereference in mq_attach Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 21/99] ocfs2/dlm: move BITS_TO_BYTES() to bitops.h for wider use Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 22/99] net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 23/99] udp6: Fix race condition in udp6_sendmsg & connect Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 24/99] net/sched: flower: fix possible OOB write in fl_set_geneve_opt() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 25/99] net: dsa: mv88e6xxx: Increase wait after reset deactivation Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 26/99] mtd: rawnand: marvell: ensure timing values are written Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 27/99] mtd: rawnand: marvell: dont set the NAND frequency select Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 28/99] watchdog: menz069_wdt: fix watchdog initialisation Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 29/99] mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 30/99] ARM: 9295/1: unwind:fix unwind abort for uleb128 case Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 31/99] media: rcar-vin: Select correct interrupt mode for V4L2_FIELD_ALTERNATE Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 32/99] fbdev: modedb: Add 1920x1080 at 60 Hz video mode Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 33/99] fbdev: stifb: Fix info entry in sti_struct on error path Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 34/99] nbd: Fix debugfs_create_dir error checking Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 35/99] ASoC: dwc: limit the number of overrun messages Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 36/99] xfrm: Check if_id in inbound policy/secpath match Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 37/99] ASoC: ssm2602: Add workaround for playback distortions Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 38/99] media: dvb_demux: fix a bug for the continuity counter Greg Kroah-Hartman
2023-06-07 20:16 ` Greg Kroah-Hartman [this message]
2023-06-07 20:16 ` [PATCH 5.4 40/99] media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 41/99] media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 42/99] media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 43/99] media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 44/99] media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 45/99] media: netup_unidvb: fix irq init by register it at the end of probe Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 46/99] media: dvb_ca_en50221: fix a size write bug Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 47/99] media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 48/99] media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 49/99] media: dvb-core: Fix use-after-free due on race condition at dvb_net Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 50/99] media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 51/99] media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221 Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 52/99] wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 53/99] ARM: dts: stm32: add pin map for CAN controller on stm32f7 Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 54/99] arm64/mm: mark private VM_FAULT_X defines as vm_fault_t Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 55/99] scsi: core: Decrease scsi_devices iorequest_cnt if dispatch failed Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 56/99] wifi: b43: fix incorrect __packed annotation Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 57/99] netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 58/99] ALSA: oss: avoid missing-prototype warnings Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 59/99] atm: hide unused procfs functions Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 60/99] mailbox: mailbox-test: fix a locking issue in mbox_test_message_write() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 61/99] iio: adc: mxs-lradc: fix the order of two cleanup operations Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 62/99] HID: google: add jewel USB id Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 63/99] HID: wacom: avoid integer overflow in wacom_intuos_inout() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 64/99] iio: light: vcnl4035: fixed chip ID check Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 65/99] iio: dac: mcp4725: Fix i2c_master_send() return value handling Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 66/99] iio: dac: build ad5758 driver when AD5758 is selected Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 67/99] net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818 Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 68/99] usb: gadget: f_fs: Add unbind event before functionfs_unbind Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 69/99] misc: fastrpc: return -EPIPE to invocations on device removal Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 70/99] misc: fastrpc: reject new invocations during " Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 71/99] scsi: stex: Fix gcc 13 warnings Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 72/99] ata: libata-scsi: Use correct device no in ata_find_dev() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 73/99] flow_dissector: work around stack frame size warning Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 74/99] x86/boot: Wrap literal addresses in absolute_pointer() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 75/99] ACPI: thermal: drop an always true check Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 76/99] gcc-12: disable -Wdangling-pointer warning for now Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 77/99] eth: sun: cassini: remove dead code Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 78/99] kernel/extable.c: use address-of operator on section symbols Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 79/99] treewide: Remove uninitialized_var() usage Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 80/99] lib/dynamic_debug.c: use address-of operator on section symbols Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 81/99] wifi: rtlwifi: remove always-true condition pointed out by GCC 12 Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 82/99] mmc: vub300: fix invalid response handling Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 83/99] tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 84/99] selinux: dont use makes grouped targets feature yet Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 85/99] tracing/probe: trace_probe_primary_from_call(): checked list_first_entry Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 86/99] ext4: add EA_INODE checking to ext4_iget() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 87/99] ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 88/99] ext4: disallow ea_inodes with extended attributes Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 89/99] ext4: add lockdep annotations for i_data_sem for ea_inodes Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 90/99] fbcon: Fix null-ptr-deref in soft_cursor Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 91/99] test_firmware: fix the memory leak of the allocated firmware buffer Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 92/99] regmap: Account for register length when chunking Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 93/99] scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD) Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 94/99] scsi: dpt_i2o: Do not process completions with invalid addresses Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 95/99] RDMA/bnxt_re: Remove set but not used variable dev_attr Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 96/99] RDMA/bnxt_re: Remove the qp from list only if the qp destroy succeeds Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 97/99] drm/edid: Fix uninitialized variable in drm_cvt_modes() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 98/99] wifi: rtlwifi: 8192de: correct checking of IQK reload Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 99/99] drm/edid: fix objtool warning in drm_cvt_modes() Greg Kroah-Hartman
2023-06-07 22:18 ` [PATCH 5.4 00/99] 5.4.246-rc1 review Florian Fainelli
2023-06-08  1:27 ` Shuah Khan
2023-06-08  7:20 ` Chris Paterson
2023-06-08 15:03 ` Naresh Kamboju
2023-06-08 15:43 ` Harshit Mogalapalli
2023-06-09  0:27 ` Guenter Roeck
2023-06-09  8:15 ` Sudip Mukherjee (Codethink)
2023-06-09 16:17 ` Jon Hunter

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ffc0db67d4d6 dfblob:2b56393d1000 )
 OR (
bs:"[PATCH 5.4 39/99] media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230607200901.478547002@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=harperchen1110@gmail.com \
    --cc=mchehab@kernel.org \
    --cc=patches@lists.linux.dev \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).