]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3a86608)
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
authorJeongjun Park <aha310510@gmail.com>
Mon, 21 Apr 2025 12:52:44 +0000 (21:52 +0900)
committerHans Verkuil <hverkuil+cisco@kernel.org>
Tue, 14 Oct 2025 13:07:36 +0000 (15:07 +0200)
rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
check the size of the rlen value. Therefore, if it is set to a value
larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.

Therefore, we need to add proper range checking to prevent this vuln.

Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353")
Cc: stable@vger.kernel.org
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
drivers/media/usb/dvb-usb/dtv5100.c patch | blob | blame | history

diff --git a/drivers/media/usb/dvb-usb/dtv5100.c b/drivers/media/usb/dvb-usb/dtv5100.c
index 3d85c6f7f6ecf401a6e60ed4f5d77f4c510a28fe..c448e2ebda1ac0f84e18572c23710a902de61352 100644 (file)
--- a/drivers/media/usb/dvb-usb/dtv5100.c
+++ b/drivers/media/usb/dvb-usb/dtv5100.c
@@ -55,6 +55,11 @@ static int dtv5100_i2c_msg(struct dvb_usb_device *d, u8 addr,
        }
        index = (addr << 8) + wbuf[0];
 
+       if (rlen > sizeof(st->data)) {
+               warn("rlen = %x is too big!\n", rlen);
+               return -EINVAL;
+       }
+
        memcpy(st->data, rbuf, rlen);
        msleep(1); /* avoid I2C errors */
        return usb_control_msg(d->udev, pipe, request,
A mirror of Linus' kernel repository