1. Patchew
  2. linux
  3. View series

[PATCH] media: dw2102: validate I2C messages in su3000_i2c_transfer()

Dharanitharan R posted 1 patch 1 week, 4 days ago
There is a newer version of this series
drivers/media/usb/dvb-usb/dw2102.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
[PATCH] media: dw2102: validate I2C messages in su3000_i2c_transfer()
Posted by Dharanitharan R 1 week, 4 days ago 
syzbot reports a general protection fault caused by su3000_i2c_transfer()
dereferencing msg->buf without validating the message length or buffer
pointer. Although i2c-dev blocks zero-length messages, malformed I²C
messages can still reach the driver through the DVB USB subsystem.

#syz test

Add strict validation of each message to prevent NULL-pointer
dereferences.

Reported-by: syzbot+d99f3a288cc7d8ef60fb@syzkaller.appspotmail.com
Fixes: 0e148a522b84 ("media: dw2102: Don't translate i2c read into write")
Signed-off-by: Dharanitharan R <dharanitharan725@gmail.com>
---
 drivers/media/usb/dvb-usb/dw2102.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
index 4fecf2f965e9..0dd210ea16f3 100644
--- a/drivers/media/usb/dvb-usb/dw2102.c
+++ b/drivers/media/usb/dvb-usb/dw2102.c
@@ -733,6 +733,36 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
 		return -EAGAIN;
 	}
 
+		/* Validate incoming I²C messages */
+	if (!msg || num <= 0) {
+		mutex_unlock(&d->data_mutex);
+        mutex_unlock(&d->i2c_mutex);
+		return -EINVAL;
+	}
+
+	for (j = 0; j < num; j++) {
+		/* msg buffer must exist */
+		if (!msg[j].buf) {
+			mutex_unlock(&d->data_mutex);
+            mutex_unlock(&d->i2c_mutex);
+			return -EINVAL;
+		}
+
+		/* zero or negative length is invalid */
+		if (msg[j].len <= 0) {
+			mutex_unlock(&d->data_mutex);
+            mutex_unlock(&d->i2c_mutex);
+			return -EINVAL;
+		}
+
+		/* protect against unreasonable sizes */
+		if (msg[j].len > 256) {
+			mutex_unlock(&d->data_mutex);
+            mutex_unlock(&d->i2c_mutex);
+			return -EOPNOTSUPP;
+		}
+	}
+
 	j = 0;
 	while (j < num) {
 		switch (msg[j].addr) {
-- 
2.43.0
Re: [syzbot] [usb?] [media?] general protection fault in su3000_i2c_transfer
Posted by syzbot 1 week, 4 days ago 
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+d99f3a288cc7d8ef60fb@syzkaller.appspotmail.com
Tested-by: syzbot+d99f3a288cc7d8ef60fb@syzkaller.appspotmail.com

Tested on:

commit:         c2f2b01b Merge tag 'i3c/for-6.19' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14498ec2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=530ad8e7aaef67e
dashboard link: https://syzkaller.appspot.com/bug?extid=d99f3a288cc7d8ef60fb
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15d90a1a580000

Note: testing is done by a robot and is best-effort only.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.