[04/24] media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
Commit Message
From: Wei Chen <harperchen1110@gmail.com>
In az6027_i2c_xfer, msg is controlled by user. When msg[i].buf is null,
commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
fix the null-ptr-deref bug when msg[i].addr is 0x99. However, null-ptr-deref
also happens when msg[i].addr is 0xd0 and 0xc0. We add check on msg[i].len to
prevent null-ptr-deref.
Link: https://lore.kernel.org/linux-media/20230310165604.3093483-1-harperchen1110@gmail.com
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
---
drivers/media/usb/dvb-usb/az6027.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
Comments
Am 13.05.23 um 19:57 schrieb Mauro Carvalho Chehab:
> From: Wei Chen <harperchen1110@gmail.com>
>
> In az6027_i2c_xfer, msg is controlled by user. When msg[i].buf is null,
> commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
> fix the null-ptr-deref bug when msg[i].addr is 0x99. However, null-ptr-deref
> also happens when msg[i].addr is 0xd0 and 0xc0. We add check on msg[i].len to
> prevent null-ptr-deref.
>
Some added checks still allow too short buffers.
> Link: https://lore.kernel.org/linux-media/20230310165604.3093483-1-harperchen1110@gmail.com
> Signed-off-by: Wei Chen <harperchen1110@gmail.com>
> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
> ---
> drivers/media/usb/dvb-usb/az6027.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c
> index 7d78ee09be5e..a31c6f82f4e9 100644
> --- a/drivers/media/usb/dvb-usb/az6027.c
> +++ b/drivers/media/usb/dvb-usb/az6027.c
> @@ -988,6 +988,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
> /* write/read request */
> if (i + 1 < num && (msg[i + 1].flags & I2C_M_RD)) {
> req = 0xB9;
> + if (msg[i].len < 1) {
> + i = -EOPNOTSUPP;
> + break;
> + }
The following line accesses the elements 0 and 1. Shouldn't this code
check for msg[i].len < 2.
Or even msg[i].len != 2? Too long input seems just to get ignored.
> index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff));
> value = msg[i].addr + (msg[i].len << 8);
> length = msg[i + 1].len + 6;
> @@ -1001,6 +1005,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
>
> /* demod 16bit addr */
> req = 0xBD;
> + if (msg[i].len < 1) {
> + i = -EOPNOTSUPP;
> + break;
> + }
Same here, at least two elements are used.
> index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff));
> value = msg[i].addr + (2 << 8);
> length = msg[i].len - 2;
> @@ -1026,6 +1034,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
> } else {
>
> req = 0xBD;
> + if (msg[i].len < 1) {
> + i = -EOPNOTSUPP;
> + break;
> + }
> index = msg[i].buf[0] & 0x00FF;
> value = msg[i].addr + (1 << 8);
> length = msg[i].len - 1;
@@ -988,6 +988,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
/* write/read request */
if (i + 1 < num && (msg[i + 1].flags & I2C_M_RD)) {
req = 0xB9;
+ if (msg[i].len < 1) {
+ i = -EOPNOTSUPP;
+ break;
+ }
index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff));
value = msg[i].addr + (msg[i].len << 8);
length = msg[i + 1].len + 6;
@@ -1001,6 +1005,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
/* demod 16bit addr */
req = 0xBD;
+ if (msg[i].len < 1) {
+ i = -EOPNOTSUPP;
+ break;
+ }
index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff));
value = msg[i].addr + (2 << 8);
length = msg[i].len - 2;
@@ -1026,6 +1034,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
} else {
req = 0xBD;
+ if (msg[i].len < 1) {
+ i = -EOPNOTSUPP;
+ break;
+ }
index = msg[i].buf[0] & 0x00FF;
value = msg[i].addr + (1 << 8);
length = msg[i].len - 1;