From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Wei Chen <harperchen1110@gmail.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 051/120] media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer()
Date: Wed, 7 Jun 2023 22:16:07 +0200 [thread overview]
Message-ID: <20230607200902.508540007@linuxfoundation.org> (raw)
In-Reply-To: <20230607200900.915613242@linuxfoundation.org>
From: Wei Chen <harperchen1110@gmail.com>
[ Upstream commit dff919090155fb22679869e8469168f270dcd97f ]
In ce6230_i2c_master_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach ce6230_i2c_master_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen. We add
check on msg[i].len to prevent crash.
Similar commit:
commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Link: https://lore.kernel.org/linux-media/20230313092751.209496-1-harperchen1110@gmail.com
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb-v2/ce6230.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/media/usb/dvb-usb-v2/ce6230.c b/drivers/media/usb/dvb-usb-v2/ce6230.c
index 44540de1a2066..d3b5cb4a24daf 100644
--- a/drivers/media/usb/dvb-usb-v2/ce6230.c
+++ b/drivers/media/usb/dvb-usb-v2/ce6230.c
@@ -101,6 +101,10 @@ static int ce6230_i2c_master_xfer(struct i2c_adapter *adap,
if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) {
if (msg[i].addr ==
ce6230_zl10353_config.demod_address) {
+ if (msg[i].len < 1) {
+ i = -EOPNOTSUPP;
+ break;
+ }
req.cmd = DEMOD_READ;
req.value = msg[i].addr >> 1;
req.index = msg[i].buf[0];
@@ -117,6 +121,10 @@ static int ce6230_i2c_master_xfer(struct i2c_adapter *adap,
} else {
if (msg[i].addr ==
ce6230_zl10353_config.demod_address) {
+ if (msg[i].len < 1) {
+ i = -EOPNOTSUPP;
+ break;
+ }
req.cmd = DEMOD_WRITE;
req.value = msg[i].addr >> 1;
req.index = msg[i].buf[0];
--
2.39.2
next prev parent reply other threads:[~2023-06-07 20:50 UTC|newest]
Thread overview: 128+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-07 20:15 [PATCH 5.10 000/120] 5.10.183-rc1 review Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 001/120] RDMA/bnxt_re: Code refactor while populating user MRs Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 002/120] RDMA/bnxt_re: Fix the page_size used during the MR creation Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 003/120] RDMA/efa: Fix unsupported page sizes in device Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 004/120] dmaengine: at_xdmac: Fix concurrency over chans completed_cookie Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 005/120] dmaengine: at_xdmac: Fix race for the tx desc callback Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 006/120] dmaengine: at_xdmac: Move the free desc to the tail of the desc list Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 007/120] dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved() Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 008/120] RDMA/bnxt_re: Fix a possible memory leak Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 009/120] RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 010/120] iommu/rockchip: Fix unwind goto issue Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 011/120] iommu/amd: Dont block updates to GATag if guest mode is on Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 012/120] dmaengine: pl330: rename _start to prevent build error Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 013/120] net/mlx5: fw_tracer, Fix event handling Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 014/120] netrom: fix info-leak in nr_write_internal() Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 015/120] af_packet: Fix data-races of pkt_sk(sk)->num Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 016/120] amd-xgbe: fix the false linkup in xgbe_phy_status Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 017/120] mtd: rawnand: ingenic: fix empty stub helper definitions Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 018/120] af_packet: do not use READ_ONCE() in packet_bind() Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 019/120] tcp: deny tcp_disconnect() when threads are waiting Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 020/120] tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 021/120] net/sched: sch_ingress: Only create under TC_H_INGRESS Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 022/120] net/sched: sch_clsact: Only create under TC_H_CLSACT Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 023/120] net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 024/120] net/sched: Prohibit regrafting ingress or clsact Qdiscs Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 025/120] net: sched: fix NULL pointer dereference in mq_attach Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 026/120] net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 027/120] udp6: Fix race condition in udp6_sendmsg & connect Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 028/120] net/mlx5: Read embedded cpu after init bit cleared Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 029/120] net/sched: flower: fix possible OOB write in fl_set_geneve_opt() Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 030/120] net: dsa: mv88e6xxx: Increase wait after reset deactivation Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 031/120] mtd: rawnand: marvell: ensure timing values are written Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 032/120] mtd: rawnand: marvell: dont set the NAND frequency select Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 033/120] watchdog: menz069_wdt: fix watchdog initialisation Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 034/120] ALSA: hda: Glenfly: add HD Audio PCI IDs and HDMI Codec Vendor IDs Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 035/120] mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write() Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 036/120] btrfs: abort transaction when sibling keys check fails for leaves Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 037/120] ARM: 9295/1: unwind:fix unwind abort for uleb128 case Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 038/120] media: rcar-vin: Select correct interrupt mode for V4L2_FIELD_ALTERNATE Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 039/120] gfs2: Dont deref jdesc in evict Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 040/120] fbdev: modedb: Add 1920x1080 at 60 Hz video mode Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 041/120] fbdev: stifb: Fix info entry in sti_struct on error path Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 042/120] nbd: Fix debugfs_create_dir error checking Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.10 043/120] block/rnbd: replace REQ_OP_FLUSH with REQ_OP_WRITE Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 044/120] ASoC: dwc: limit the number of overrun messages Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 045/120] xfrm: Check if_id in inbound policy/secpath match Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 046/120] ASoC: dt-bindings: Adjust #sound-dai-cells on TIs single-DAI codecs Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 047/120] ASoC: ssm2602: Add workaround for playback distortions Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 048/120] media: dvb_demux: fix a bug for the continuity counter Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 049/120] media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 050/120] media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer() Greg Kroah-Hartman
2023-06-07 20:16 ` Greg Kroah-Hartman [this message]
2023-06-07 20:16 ` [PATCH 5.10 052/120] media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 053/120] media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 054/120] media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 055/120] media: netup_unidvb: fix irq init by register it at the end of probe Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 056/120] media: dvb_ca_en50221: fix a size write bug Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 057/120] media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 058/120] media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 059/120] media: dvb-core: Fix use-after-free due on race condition at dvb_net Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 060/120] media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 061/120] media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221 Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 062/120] s390/pkey: zeroize key blobs Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 063/120] wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 064/120] ARM: dts: stm32: add pin map for CAN controller on stm32f7 Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 065/120] arm64/mm: mark private VM_FAULT_X defines as vm_fault_t Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 066/120] scsi: core: Decrease scsi_devices iorequest_cnt if dispatch failed Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 067/120] wifi: b43: fix incorrect __packed annotation Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 068/120] netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 069/120] ALSA: oss: avoid missing-prototype warnings Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 070/120] drm/msm: Be more shouty if per-process pgtables arent working Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 071/120] atm: hide unused procfs functions Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 072/120] mailbox: mailbox-test: fix a locking issue in mbox_test_message_write() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 073/120] iio: adc: mxs-lradc: fix the order of two cleanup operations Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 074/120] HID: google: add jewel USB id Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 075/120] HID: wacom: avoid integer overflow in wacom_intuos_inout() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 076/120] iio: imu: inv_icm42600: fix timestamp reset Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 077/120] iio: light: vcnl4035: fixed chip ID check Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 078/120] iio: dac: mcp4725: Fix i2c_master_send() return value handling Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 079/120] iio: adc: ad7192: Change "shorted" channels to differential Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 080/120] iio: dac: build ad5758 driver when AD5758 is selected Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 081/120] net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818 Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 082/120] usb: gadget: f_fs: Add unbind event before functionfs_unbind Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 083/120] misc: fastrpc: return -EPIPE to invocations on device removal Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 084/120] misc: fastrpc: reject new invocations during " Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 085/120] scsi: stex: Fix gcc 13 warnings Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 086/120] ata: libata-scsi: Use correct device no in ata_find_dev() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 087/120] x86/boot: Wrap literal addresses in absolute_pointer() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 088/120] ACPI: thermal: drop an always true check Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 089/120] ath6kl: Use struct_group() to avoid size-mismatched casting Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 090/120] gcc-12: disable -Wdangling-pointer warning for now Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 091/120] eth: sun: cassini: remove dead code Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 092/120] mmc: vub300: fix invalid response handling Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 093/120] tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 094/120] btrfs: fix csum_tree_block page iteration to avoid tripping on -Werror=array-bounds Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 095/120] selinux: dont use makes grouped targets feature yet Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 096/120] tracing/probe: trace_probe_primary_from_call(): checked list_first_entry Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 097/120] selftests: mptcp: connect: skip if MPTCP is not supported Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 098/120] selftests: mptcp: pm nl: " Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 099/120] ext4: add EA_INODE checking to ext4_iget() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 100/120] ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 101/120] ext4: disallow ea_inodes with extended attributes Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 102/120] ext4: add lockdep annotations for i_data_sem for ea_inodes Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.10 103/120] fbcon: Fix null-ptr-deref in soft_cursor Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 104/120] serial: 8250_tegra: Fix an error handling path in tegra_uart_probe() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 105/120] test_firmware: fix the memory leak of the allocated firmware buffer Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 106/120] KVM: x86: Account fastpath-only VM-Exits in vCPU stats Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 107/120] KEYS: asymmetric: Copy sig and digest in public_key_verify_signature() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 108/120] regmap: Account for register length when chunking Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 109/120] tpm, tpm_tis: Request threaded interrupt handler Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 110/120] media: ti-vpe: cal: avoid FIELD_GET assertion Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 111/120] drm/rcar: stop using imply for dependencies Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 112/120] scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD) Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 113/120] scsi: dpt_i2o: Do not process completions with invalid addresses Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 114/120] crypto: ccp: Reject SEV commands with mismatching command buffer Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 115/120] crypto: ccp: Play nice with vmallocd memory for SEV command structs Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 116/120] selftests: mptcp: diag: skip if MPTCP is not supported Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 117/120] selftests: mptcp: simult flows: " Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 118/120] selftests: mptcp: join: " Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 119/120] ext4: enable the lazy init thread when remounting read/write Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.10 120/120] ARM: defconfig: drop CONFIG_DRM_RCAR_LVDS Greg Kroah-Hartman
2023-06-07 23:35 ` [PATCH 5.10 000/120] 5.10.183-rc1 review Florian Fainelli
2023-06-08 3:06 ` Shuah Khan
2023-06-08 7:23 ` Chris Paterson
2023-06-08 12:49 ` Naresh Kamboju
2023-06-09 0:27 ` Guenter Roeck
2023-06-09 8:23 ` Sudip Mukherjee (Codethink)
2023-06-09 16:17 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230607200902.508540007@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=harperchen1110@gmail.com \
--cc=mchehab@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).