From: Phong Tran <tranmanphong@gmail.com>
To: tranmanphong@gmail.com
Cc: andreyknvl@google.com, gregkh@linuxfoundation.org,
hans.verkuil@cisco.com, keescook@chromium.org,
linux-kernel-mentees@lists.linuxfoundation.org,
linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
linux-usb@vger.kernel.org, mchehab@kernel.org,
skhan@linuxfoundation.org,
syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com, glider@google.com
Subject: [PATCH V2] media: usb: technisat-usb2: fix buffer overflow
Date: Wed, 3 Jul 2019 09:14:44 +0700 [thread overview]
Message-ID: <20190703021444.19954-1-tranmanphong@gmail.com> (raw)
In-Reply-To: <20190702140211.28399-1-tranmanphong@gmail.com>
The buffer will be overflow in case of the while loop can not break.
Add the checking buffer condition in while loop for avoiding
overlooping index.
This issue was reported by syzbot
Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com
Tested-by:
https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/t3PvVheSAAAJ
Signed-off-by: Phong Tran <tranmanphong@gmail.com>
---
Change Log:
* V2: add IR_MAX_BUFFER_INDEX and adjust the while loop condition as comments
---
drivers/media/usb/dvb-usb/technisat-usb2.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
index c659e18b358b..cdabff97c1ea 100644
--- a/drivers/media/usb/dvb-usb/technisat-usb2.c
+++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
@@ -49,6 +49,7 @@ MODULE_PARM_DESC(disable_led_control,
"disable LED control of the device (default: 0 - LED control is active).");
/* device private data */
+#define IR_MAX_BUFFER_INDEX 63
struct technisat_usb2_state {
struct dvb_usb_device *dev;
struct delayed_work green_led_work;
@@ -56,7 +57,7 @@ struct technisat_usb2_state {
u16 last_scan_code;
- u8 buf[64];
+ u8 buf[IR_MAX_BUFFER_INDEX + 1];
};
/* debug print helpers */
@@ -655,7 +656,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
#endif
ev.pulse = 0;
- while (1) {
+ while (b <= (buf + IR_MAX_BUFFER_INDEX)) {
ev.pulse = !ev.pulse;
ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000;
ir_raw_event_store(d->rc_dev, &ev);
--
2.11.0
next prev parent reply other threads:[~2019-07-03 2:15 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-14 20:06 KASAN: slab-out-of-bounds Read in technisat_usb2_rc_query syzbot
2019-07-02 14:02 ` [PATCH] media: usb: technisat-usb2: fix buffer overflow Phong Tran
2019-07-02 14:23 ` Alexander Potapenko
2019-07-02 16:03 ` Kees Cook
2019-07-03 2:14 ` Phong Tran [this message]
2019-07-03 2:26 ` [PATCH V2] " Kees Cook
2019-07-03 14:52 ` [PATCH] media: technisat-usb2: break out of loop at end of buffer Sean Young
2019-07-03 16:54 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190703021444.19954-1-tranmanphong@gmail.com \
--to=tranmanphong@gmail.com \
--cc=andreyknvl@google.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hans.verkuil@cisco.com \
--cc=keescook@chromium.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).