Because the blen is not properly bounds-checked in __az6007_read/write,
it is easy to get out-of-bounds errors in az6007_i2c_xfer later.
Therefore, we need to add bounds-checking to __az6007_read/write to
resolve this.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
v2: Change to fix the root cause of oob
- Link to v1: https://lore.kernel.org/all/20250421105555.34984-1-aha310510@gmail.com/
---
drivers/media/usb/dvb-usb-v2/az6007.c | 62 +++++++++++++++------------
1 file changed, 34 insertions(+), 28 deletions(-)
diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..4202042bdb55 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -97,11 +97,17 @@ static struct mt2063_config az6007_mt2063_config = {
.refclock = 36125000,
};
-static int __az6007_read(struct usb_device *udev, u8 req, u16 value,
- u16 index, u8 *b, int blen)
+static int __az6007_read(struct usb_device *udev, struct az6007_device_state *st,
+ u8 req, u16 value, u16 index, u8 *b, int blen)
{
int ret;
+ if (blen > sizeof(st->data)) {
+ pr_err("az6007: tried to read %d bytes, but I2C max size is %lu bytes\n",
+ blen, sizeof(st->data));
+ return -EOPNOTSUPP;
+ }
+
ret = usb_control_msg(udev,
usb_rcvctrlpipe(udev, 0),
req,
@@ -125,24 +131,30 @@ static int __az6007_read(struct usb_device *udev, u8 req, u16 value,
static int az6007_read(struct dvb_usb_device *d, u8 req, u16 value,
u16 index, u8 *b, int blen)
{
- struct az6007_device_state *st = d->priv;
+ struct az6007_device_state *st = d_to_priv(d);
int ret;
if (mutex_lock_interruptible(&st->mutex) < 0)
return -EAGAIN;
- ret = __az6007_read(d->udev, req, value, index, b, blen);
+ ret = __az6007_read(d->udev, st, req, value, index, b, blen);
mutex_unlock(&st->mutex);
return ret;
}
-static int __az6007_write(struct usb_device *udev, u8 req, u16 value,
- u16 index, u8 *b, int blen)
+static int __az6007_write(struct usb_device *udev, struct az6007_device_state *st,
+ u8 req, u16 value, u16 index, u8 *b, int blen)
{
int ret;
+ if (blen > sizeof(st->data)) {
+ pr_err("az6007: tried to write %d bytes, but I2C max size is %lu bytes\n",
+ blen, sizeof(st->data));
+ return -EOPNOTSUPP;
+ }
+
if (az6007_xfer_debug) {
printk(KERN_DEBUG "az6007: OUT req: %02x, value: %04x, index: %04x\n",
req, value, index);
@@ -150,12 +162,6 @@ static int __az6007_write(struct usb_device *udev, u8 req, u16 value,
DUMP_PREFIX_NONE, b, blen);
}
- if (blen > 64) {
- pr_err("az6007: tried to write %d bytes, but I2C max size is 64 bytes\n",
- blen);
- return -EOPNOTSUPP;
- }
-
ret = usb_control_msg(udev,
usb_sndctrlpipe(udev, 0),
req,
@@ -172,13 +178,13 @@ static int __az6007_write(struct usb_device *udev, u8 req, u16 value,
static int az6007_write(struct dvb_usb_device *d, u8 req, u16 value,
u16 index, u8 *b, int blen)
{
- struct az6007_device_state *st = d->priv;
+ struct az6007_device_state *st = d_to_priv(d);
int ret;
if (mutex_lock_interruptible(&st->mutex) < 0)
return -EAGAIN;
- ret = __az6007_write(d->udev, req, value, index, b, blen);
+ ret = __az6007_write(d->udev, st, req, value, index, b, blen);
mutex_unlock(&st->mutex);
@@ -775,7 +781,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
value = addr | (1 << 8);
length = 6 + msgs[i + 1].len;
len = msgs[i + 1].len;
- ret = __az6007_read(d->udev, req, value, index,
+ ret = __az6007_read(d->udev, st, req, value, index,
st->data, length);
if (ret >= len) {
for (j = 0; j < len; j++)
@@ -788,7 +794,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
if (az6007_xfer_debug)
printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
addr, msgs[i].len);
- if (msgs[i].len < 1) {
+ if (msgs[i].len < 1 && msgs[i].len > 64) {
ret = -EIO;
goto err;
}
@@ -796,11 +802,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
index = msgs[i].buf[0];
value = addr | (1 << 8);
length = msgs[i].len - 1;
- len = msgs[i].len - 1;
- for (j = 0; j < len; j++)
- st->data[j] = msgs[i].buf[j + 1];
- ret = __az6007_write(d->udev, req, value, index,
- st->data, length);
+ ret = __az6007_write(d->udev, st, req, value, index,
+ &msgs[i].buf[1], length);
} else {
/* read bytes */
if (az6007_xfer_debug)
@@ -815,10 +818,12 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
value = addr;
length = msgs[i].len + 6;
len = msgs[i].len;
- ret = __az6007_read(d->udev, req, value, index,
+ ret = __az6007_read(d->udev, st, req, value, index,
st->data, length);
- for (j = 0; j < len; j++)
- msgs[i].buf[j] = st->data[j + 5];
+ if (ret >= len) {
+ for (j = 0; j < len; j++)
+ msgs[i].buf[j] = st->data[j + 5];
+ }
}
if (ret < 0)
goto err;
@@ -845,6 +850,7 @@ static const struct i2c_algorithm az6007_i2c_algo = {
static int az6007_identify_state(struct dvb_usb_device *d, const char **name)
{
+ struct az6007_device_state *state = d_to_priv(d);
int ret;
u8 *mac;
@@ -855,7 +861,7 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name)
return -ENOMEM;
/* Try to read the mac address */
- ret = __az6007_read(d->udev, AZ6007_READ_DATA, 6, 0, mac, 6);
+ ret = __az6007_read(d->udev, state, AZ6007_READ_DATA, 6, 0, mac, 6);
if (ret == 6)
ret = WARM;
else
@@ -864,9 +870,9 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name)
kfree(mac);
if (ret == COLD) {
- __az6007_write(d->udev, 0x09, 1, 0, NULL, 0);
- __az6007_write(d->udev, 0x00, 0, 0, NULL, 0);
- __az6007_write(d->udev, 0x00, 0, 0, NULL, 0);
+ __az6007_write(d->udev, state, 0x09, 1, 0, NULL, 0);
+ __az6007_write(d->udev, state, 0x00, 0, 0, NULL, 0);
+ __az6007_write(d->udev, state, 0x00, 0, 0, NULL, 0);
}
pr_debug("Device is on %s state\n",
--Hi Jeongjun,
kernel test robot noticed the following build warnings:
[auto build test WARNING on linuxtv-media-pending/master]
[also build test WARNING on linus/master v6.17-rc5 next-20250908]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Jeongjun-Park/media-az6007-fix-out-of-bounds-in-az6007_i2c_xfer/20250908-231026
base: https://git.linuxtv.org/media-ci/media-pending.git master
patch link: https://lore.kernel.org/r/20250908150730.24560-2-aha310510%40gmail.com
patch subject: [PATCH v2 1/2] media: az6007: fix out-of-bounds in az6007_i2c_xfer()
config: hexagon-allyesconfig (https://download.01.org/0day-ci/archive/20250909/202509091306.eGl2abHr-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 7fb1dc08d2f025aad5777bb779dfac1197e9ef87)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250909/202509091306.eGl2abHr-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202509091306.eGl2abHr-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/media/usb/dvb-usb-v2/az6007.c:107:16: warning: format specifies type 'unsigned long' but the argument has type '__size_t' (aka 'unsigned int') [-Wformat]
106 | pr_err("az6007: tried to read %d bytes, but I2C max size is %lu bytes\n",
| ~~~
| %zu
107 | blen, sizeof(st->data));
| ^~~~~~~~~~~~~~~~
include/linux/printk.h:557:33: note: expanded from macro 'pr_err'
557 | printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/linux/printk.h:514:60: note: expanded from macro 'printk'
514 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/linux/printk.h:486:19: note: expanded from macro 'printk_index_wrap'
486 | _p_func(_fmt, ##__VA_ARGS__); \
| ~~~~ ^~~~~~~~~~~
drivers/media/usb/dvb-usb-v2/az6007.c:154:16: warning: format specifies type 'unsigned long' but the argument has type '__size_t' (aka 'unsigned int') [-Wformat]
153 | pr_err("az6007: tried to write %d bytes, but I2C max size is %lu bytes\n",
| ~~~
| %zu
154 | blen, sizeof(st->data));
| ^~~~~~~~~~~~~~~~
include/linux/printk.h:557:33: note: expanded from macro 'pr_err'
557 | printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/linux/printk.h:514:60: note: expanded from macro 'printk'
514 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
| ~~~ ^~~~~~~~~~~
include/linux/printk.h:486:19: note: expanded from macro 'printk_index_wrap'
486 | _p_func(_fmt, ##__VA_ARGS__); \
| ~~~~ ^~~~~~~~~~~
2 warnings generated.
vim +107 drivers/media/usb/dvb-usb-v2/az6007.c
99
100 static int __az6007_read(struct usb_device *udev, struct az6007_device_state *st,
101 u8 req, u16 value, u16 index, u8 *b, int blen)
102 {
103 int ret;
104
105 if (blen > sizeof(st->data)) {
106 pr_err("az6007: tried to read %d bytes, but I2C max size is %lu bytes\n",
> 107 blen, sizeof(st->data));
108 return -EOPNOTSUPP;
109 }
110
111 ret = usb_control_msg(udev,
112 usb_rcvctrlpipe(udev, 0),
113 req,
114 USB_TYPE_VENDOR | USB_DIR_IN,
115 value, index, b, blen, 5000);
116 if (ret < 0) {
117 pr_warn("usb read operation failed. (%d)\n", ret);
118 return -EIO;
119 }
120
121 if (az6007_xfer_debug) {
122 printk(KERN_DEBUG "az6007: IN req: %02x, value: %04x, index: %04x\n",
123 req, value, index);
124 print_hex_dump_bytes("az6007: payload: ",
125 DUMP_PREFIX_NONE, b, blen);
126 }
127
128 return ret;
129 }
130
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
© 2016 - 2025 Red Hat, Inc.