From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8253C3A589 for ; Tue, 20 Aug 2019 18:20:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C2E3A230F2 for ; Tue, 20 Aug 2019 18:20:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Qi81BYsQ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730174AbfHTSUI (ORCPT ); Tue, 20 Aug 2019 14:20:08 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:37447 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729639AbfHTSUI (ORCPT ); Tue, 20 Aug 2019 14:20:08 -0400 Received: by mail-io1-f67.google.com with SMTP id q22so14205279iog.4; Tue, 20 Aug 2019 11:20:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ygTD54+L/gBc5gQPMk4sDNmeYvmKQgCUTQPmTGXe5Vw=; b=Qi81BYsQ+Ufm2/OpLBwZuLEgbHKrfUDqS3OYVhPLLIz4kfU3vViTsChICkxUuUyM+Q GgdsceHjtvETs7Ao9QyZ/XyMuanBPU+zUwYx4QNYd8/C8/sxEnV/WgZFV8NXMTfZPVAG 2vHsW3UbQcZm6k2qn3GsR/3M9yE1Uwhkf2coU4u55JynUY0dKq4AG7nZBNoAWkcRTqZD wDAsbXsRer8r1ApMeC5FBmp78rZ4trLQZqnRRzPCLEopB/Av38jm5C3XrCYe6mzjcSXX tyD+waU3NR01kwthhIuQ7b34sxS7eP0FIDS6FTtDNr0cNSjn33bikNExo1PnaUS02QjJ nzvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ygTD54+L/gBc5gQPMk4sDNmeYvmKQgCUTQPmTGXe5Vw=; b=OduGtvVkj9jW6FgjkHF7dT6KQrzpoGW/B3pey0oS2p0Ldx4q9I4hi6DzrzEP1ZY/Jv HrSNO3GRlGZNWe4lIr1CC3XmBGPzHJCrsTEgTSZZBIQlw0pDtVcwgR+4NgcU3khY1hjq UqHkTuj4ood0OBaEy8AvGrJ9XOK/kEaWgjrkkDLxm3/JdUk09btibKuOv8lEuqk6gtCi NKz/o5XK9//yF3G5QynnP5wzcR275y4YFDlphXpDosCcgAf1NuK76JcBwe5+pcmZXDUe 9i9dTkaGAyr2A9KYTtQ9snhfQoAbI255VMxBJv4PLpTUF3NAwXpTCJ8qI5ynb+JT3zgm vi0Q== X-Gm-Message-State: APjAAAXKG8Ihk//fJ6iq7NgwPJQmoHjhxYM3rpRC1jnEj1BmL6EEXpCA PNHbJQ2npGt2YireLDcbXdyh9JBtJVlNsQ== X-Google-Smtp-Source: APXvYqxmwwioE87DQyYhg2wQzclwtBjqAUzr1/e+GzX2BA0IohrIJZce+tvG8oEnHXKZuETtvtekFQ== X-Received: by 2002:a5d:9f50:: with SMTP id u16mr9196187iot.110.1566325207418; Tue, 20 Aug 2019 11:20:07 -0700 (PDT) Received: from peng.science.purdue.edu (cos-128-210-107-27.science.purdue.edu. [128.210.107.27]) by smtp.googlemail.com with ESMTPSA id s11sm9560207ioo.45.2019.08.20.11.20.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Aug 2019 11:20:06 -0700 (PDT) From: Hui Peng To: security@kernel.org Cc: Hui Peng , Mathias Payer , Mauro Carvalho Chehab , Hans Verkuil , Kees Cook , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Fix an OOB access bug in technisat_usb2_get_ir Date: Tue, 20 Aug 2019 14:19:16 -0400 Message-Id: <20190820181921.7921-1-benquike@gmail.com> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org In the while loop of technisat_usb2_get_ir, it scans through a fix-sized buffer read from the device side, the termination condition of the loop is `*b == 0xff`. If no `0xff` byte is read from the device side, OOB access happens. This patch fixes the bug by adding an upper bound in the while loop. Reported-by: Hui Peng Reported-by: Mathias Payer Signed-off-by: Hui Peng --- drivers/media/usb/dvb-usb/technisat-usb2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c index c659e18b358b..181f5f97af45 100644 --- a/drivers/media/usb/dvb-usb/technisat-usb2.c +++ b/drivers/media/usb/dvb-usb/technisat-usb2.c @@ -612,6 +612,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d) u8 *b; int ret; struct ir_raw_event ev; + int i = 0; buf[0] = GET_IR_DATA_VENDOR_REQUEST; buf[1] = 0x08; @@ -656,11 +657,15 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d) ev.pulse = 0; while (1) { + // only `ret` bytes are read from the device side + if (i >= ret) + break; ev.pulse = !ev.pulse; ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000; ir_raw_event_store(d->rc_dev, &ev); b++; + i++; if (*b == 0xff) { ev.pulse = 0; ev.duration = 888888*2; -- 2.23.0