From nobody Fri Dec 19 11:45:27 2025
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8BDDA23D7EE
	for <linux-kernel@vger.kernel.org>; Mon,  8 Dec 2025 03:13:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1765163587; cv=none;
 b=JFweHjDDqdgG33riU+/5cNsT0xfaoB5Bqelh4kNqDNQJjiIaYWCH8UfJXz7rJtn4dZAc+6llt3Fn0yo6KKo7wq75moSMtm1t8g8b0+euc4u+kr84gwegpzdAKpt8CPH4ydAk3RDxGd4nPBCqNeyUTYKqSoi1P2lysCtMvY48tE0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1765163587; c=relaxed/simple;
	bh=rAvl13OFCVxdaYtaQPBo+tUQXCa6gdUpoP7Bx2fKdVA=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type;
 b=Dw+RoOmHLC6SMBnj8qdNOL6zZ4CeYhcqr9NxeGGtHmkKZoVJBrru3lXxOGnHb0LH0Xp+9cknYbt3KxKcZxwO4EdjIJf7eTVhJHsShgF/v5IIGVzxvz5t97LkNAR4emvHFKlJgpROL5sku3NMaaC/+NYevsd15xzaNlizyWbgbc0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=ht+4OzrG; arc=none smtp.client-ip=209.85.214.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="ht+4OzrG"
Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-29806bd47b5so23252585ad.3
        for <linux-kernel@vger.kernel.org>;
 Sun, 07 Dec 2025 19:13:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765163585; x=1765768385;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=jYX2ooIlQ0+ulIrJRn/Q40MXHBfq+kRpa2QUKgQDnTU=;
        b=ht+4OzrGrkvakYezHkmWLZ2o1DLSgIoAQc/P2B0+ObgBLQQwQh6lAyAVGJWVisvzur
         IxCpkkEjpF6e/RwcdWj1MvzfJJJ6E1WAZmukJLSQwGKjzVBufj0sv7wbrxP4r5dybTt8
         gMSmBhby9LoDPGo93n0LpbwhkHgt9Hz7+BDRAy4wlfk7zfB+1x4qEsnhey3M7r2JuT7Y
         zym5AlvpvQ3vdc669x0LTAC6NZ4jY29WdI8hfjmoyVwKYUOt2J3Hxx0ZnkaWxAaWcaVL
         s0bE1xCHU+xSMXh7VJsatbpgFdhiD7n5Cn+rZvQvdH7KiSL2Cp2biLKpFLPFvyJkebOS
         dmGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765163585; x=1765768385;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=jYX2ooIlQ0+ulIrJRn/Q40MXHBfq+kRpa2QUKgQDnTU=;
        b=qUp75SsLuK0v032wmb9RpuFPlicxyddbXu0RL2lx6UDkThw8sp4pDQ71xOEGsmMAoP
         hGtLSEYx1kHb4OQp4U5ckE7pXQ30QzK2dNWvxVBWOOZsUnvU5b2f4R/eS8fBLu200uBB
         89wlNGan9aFnQ6hQF6gntm6/H+VuMqmKuHD+ZDw5o4hxn9+m+5TZtswlF+O5L7s9xWD/
         O1jvr0ZtRAA6bNK8YJk2GqHgDyXqNYZEnY9Ofa1qk3lLu6t0A60zFE4Ws3BZGd/1cqMm
         P8QpZCiBdx/MdrUCbxm/ageVHz1N5A2wP6xrd1RTiSFSjq7aOX5KdysfHBq6yrO+RvhJ
         c1kQ==
X-Gm-Message-State: AOJu0YyD+bG982LHjd1FhCxKjlci2Xlt1arClYUxDyGsi5XrPZvSuJeN
	EQjhKWgb3cWsFsSr2idWs+PIqZmWyuyo4kxLxSL99A/xcl7uMMhoGTgh
X-Gm-Gg: ASbGncsSgZyUH4rgORwFWUrvgaX/9kWxhpRiL6IrF16+IVoT2kevvWapjyguFSqeiXf
	Y+Qjrsa79ca5zAloKk9QqUR2f4i/NIaiNkEE5CjK7oYC3V5ntVpWDOOdx4JiospdnJny8eCbeG5
	MtJmOCjmQKKD/RQfZR6e+AlDG7pAAIslt/3DHTOsDvBNfdKsF65qNtY7Dru61F3/845/FBGGPUv
	O2odMu7MN/Dj+JyCRdk7EHPnHOHtN9o/IzE6HlVYiaLEoLCDor8b46n4f2BAJoJC2/Fzwx8lf+S
	4aKukMy3DA58wl2OrFtS6ZLXlN2HhhdoVJn85vwmegA9XC3NBgMM2bgfiA09YS0D20iB5AKBMoL
	bXL33QkQCbGDfog2l2Lg6bTjKisVpcBaWSLiLJ0DF2E2HTl/mLARrBFbf/6e0G8xJMlBC6pPCOy
	WG1P52HFPJqObvgasxPeQve55CmdIan36bGclqpWuAm5A=
X-Google-Smtp-Source: 
 AGHT+IF6KtQs08mOWinVqBkLg5gqwqjXDMb5wznNC0Q1/S5ZIcJAiOTQnqnlSi5N8EWBIixq1pUWBA==
X-Received: by 2002:a17:902:e812:b0:295:6427:87e4 with SMTP id
 d9443c01a7336-29df871034fmr69099735ad.40.1765163584729;
        Sun, 07 Dec 2025 19:13:04 -0800 (PST)
Received: from localhost.localdomain ([38.224.232.243])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-29dae99effasm109800685ad.57.2025.12.07.19.13.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 07 Dec 2025 19:13:04 -0800 (PST)
From: Dharanitharan R <dharanitharan725@gmail.com>
To: linux-media@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	mchehab@kernel.org,
	micha@freedict.org,
	syzkaller-bugs@googlegroups.com,
	syzbot+d99f3a288cc7d8ef60fb@syzkaller.appspotmail.com,
	Dharanitharan R <dharanitharan725@gmail.com>
Subject: [PATCH] media: dw2102: validate I2C messages in su3000_i2c_transfer()
Date: Mon,  8 Dec 2025 03:12:25 +0000
Message-ID: <20251208031224.10579-2-dharanitharan725@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

syzbot reports a general protection fault caused by su3000_i2c_transfer()
dereferencing msg->buf without validating the message length or buffer
pointer. Although i2c-dev blocks zero-length messages, malformed I=C2=B2C
messages can still reach the driver through the DVB USB subsystem.

#syz test

Add strict validation of each message to prevent NULL-pointer
dereferences.

Reported-by: syzbot+d99f3a288cc7d8ef60fb@syzkaller.appspotmail.com
Fixes: 0e148a522b84 ("media: dw2102: Don't translate i2c read into write")
Signed-off-by: Dharanitharan R <dharanitharan725@gmail.com>
Tested-by: syzbot+d99f3a288cc7d8ef60fb@syzkaller.appspotmail.com
---
 drivers/media/usb/dvb-usb/dw2102.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb=
/dw2102.c
index 4fecf2f965e9..0dd210ea16f3 100644
--- a/drivers/media/usb/dvb-usb/dw2102.c
+++ b/drivers/media/usb/dvb-usb/dw2102.c
@@ -733,6 +733,36 @@ static int su3000_i2c_transfer(struct i2c_adapter *ada=
p, struct i2c_msg msg[],
 		return -EAGAIN;
 	}
=20
+		/* Validate incoming I=C2=B2C messages */
+	if (!msg || num <=3D 0) {
+		mutex_unlock(&d->data_mutex);
+        mutex_unlock(&d->i2c_mutex);
+		return -EINVAL;
+	}
+
+	for (j =3D 0; j < num; j++) {
+		/* msg buffer must exist */
+		if (!msg[j].buf) {
+			mutex_unlock(&d->data_mutex);
+            mutex_unlock(&d->i2c_mutex);
+			return -EINVAL;
+		}
+
+		/* zero or negative length is invalid */
+		if (msg[j].len <=3D 0) {
+			mutex_unlock(&d->data_mutex);
+            mutex_unlock(&d->i2c_mutex);
+			return -EINVAL;
+		}
+
+		/* protect against unreasonable sizes */
+		if (msg[j].len > 256) {
+			mutex_unlock(&d->data_mutex);
+            mutex_unlock(&d->i2c_mutex);
+			return -EOPNOTSUPP;
+		}
+	}
+
 	j =3D 0;
 	while (j < num) {
 		switch (msg[j].addr) {
--=20
2.43.0