From: Hui Peng <benquike@gmail.com>
To: Hui Peng <benquike@gmail.com>
Cc: Mathias Payer <mathias.payer@nebelwelt.net>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Hans Verkuil <hans.verkuil@cisco.com>,
Kees Cook <keescook@chromium.org>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
security@kernel.org
Subject: Re: [PATCH] Fix an OOB access bug in technisat_usb2_get_ir
Date: Tue, 20 Aug 2019 14:24:00 -0400 [thread overview]
Message-ID: <b9b256cb-95f2-5fa1-9956-5a602a017c11@gmail.com> (raw)
In-Reply-To: <20190820181921.7921-1-benquike@gmail.com>
The following is the kasan report. This bug was found in v4.20-rc2, but
it is present in the latest version.
BUG: KASAN: slab-out-of-bounds in technisat_usb2_get_ir
drivers/media/usb/dvb-usb/technisat-usb2.c:664 [inline]
BUG: KASAN: slab-out-of-bounds in technisat_usb2_rc_query+0x598/0x5f0
drivers/media/usb/dvb-usb/technisat-usb2.c:679
Read of size 1 at addr ffff88805ee3d3a8 by task kworker/2:3/8681
CPU: 2 PID: 8681 Comm: kworker/2:3 Not tainted 4.20.0-rc2 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
Workqueue: events dvb_usb_read_remote_control
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xd2/0x148 lib/dump_stack.c:113
print_address_description+0x71/0x239 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.5+0x242/0x30b mm/kasan/report.c:412
__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:430
technisat_usb2_get_ir drivers/media/usb/dvb-usb/technisat-usb2.c:664
[inline]
technisat_usb2_rc_query+0x598/0x5f0
drivers/media/usb/dvb-usb/technisat-usb2.c:679
dvb_usb_read_remote_control+0xbd/0x150
drivers/media/usb/dvb-usb/dvb-usb-remote.c:261
process_one_work+0x816/0x14d0 kernel/workqueue.c:2153
worker_thread+0x9b/0xce0 kernel/workqueue.c:2296
kthread+0x33d/0x400 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
On 8/20/19 2:19 PM, Hui Peng wrote:
> In the while loop of technisat_usb2_get_ir, it scans through
> a fix-sized buffer read from the device side, the termination
> condition of the loop is `*b == 0xff`. If no `0xff` byte is read
> from the device side, OOB access happens.
>
> This patch fixes the bug by adding an upper bound in the while loop.
>
> Reported-by: Hui Peng <benquike@gmail.com>
> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> Signed-off-by: Hui Peng <benquike@gmail.com>
> ---
> drivers/media/usb/dvb-usb/technisat-usb2.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
> index c659e18b358b..181f5f97af45 100644
> --- a/drivers/media/usb/dvb-usb/technisat-usb2.c
> +++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
> @@ -612,6 +612,7 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
> u8 *b;
> int ret;
> struct ir_raw_event ev;
> + int i = 0;
>
> buf[0] = GET_IR_DATA_VENDOR_REQUEST;
> buf[1] = 0x08;
> @@ -656,11 +657,15 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
>
> ev.pulse = 0;
> while (1) {
> + // only `ret` bytes are read from the device side
> + if (i >= ret)
> + break;
> ev.pulse = !ev.pulse;
> ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000;
> ir_raw_event_store(d->rc_dev, &ev);
>
> b++;
> + i++;
> if (*b == 0xff) {
> ev.pulse = 0;
> ev.duration = 888888*2;
next prev parent reply other threads:[~2019-08-20 18:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-20 18:19 [PATCH] Fix an OOB access bug in technisat_usb2_get_ir Hui Peng
2019-08-20 18:24 ` Hui Peng [this message]
2019-08-21 10:44 ` Sean Young
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b9b256cb-95f2-5fa1-9956-5a602a017c11@gmail.com \
--to=benquike@gmail.com \
--cc=hans.verkuil@cisco.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mathias.payer@nebelwelt.net \
--cc=mchehab@kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).