From nobody Sat Feb 7 21:16:13 2026 Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com [209.85.222.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2EC9E17A586 for ; Mon, 22 Dec 2025 00:22:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766362958; cv=none; b=HNwWKjy1lPl363RjQ+mTjWpbZm4BEJwUJIZ3rNAnXiNtzHDhT3fOX7JbxSvvV91ltpzuF9QG+CMKBoi1Z46h76WTKOwBCwB/1PaeTI3SF5y1EtU2xy9XauFRAfZswR27eRM4Rg0GJnpu62h39iK6uHJ6p6wgs18TRKwAETxuDuM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766362958; c=relaxed/simple; bh=/4VpmscdJAmltw6qgbzHKyfcQ9dPgSNzZHqoCv3OIE4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=rLSqpNBeKLyinKIjpbBw5m2o1iQugbaHFPxZVh+trEU6FjqSCtZCk4xY07aEUEfLz/fRNgffeS3xg2R5XUNaf0nooTLKHkJDBHyxHq/3AgBmdPDmFDJ8l88mhHKQepBsXRr/v6q2sRZo7XxTQb5tXPFxQyPbtpIX9Nz2Ppcb800= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=j+r9UdTG; arc=none smtp.client-ip=209.85.222.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="j+r9UdTG" Received: by mail-qk1-f173.google.com with SMTP id af79cd13be357-8b2d6df99c5so437178085a.1 for ; Sun, 21 Dec 2025 16:22:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766362956; x=1766967756; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=2sD4hUVC58wHYj0/TBqBKJe071NUQ0n28qUzgcUEIws=; b=j+r9UdTGB+f+xI0OH5hbwYm2BKLyDpiwuoorkOFAubWBCCUIZB5UWdWAoC+hbE+B+4 mhXzVGVtLle0R32QCHNg6SsnYOypCX54CbwjsmHOxP8bRtTojPZpkGdI+tRWMrnUydeQ 3D+jlF1lMuU95BQGlAVYHYp+Fvg2ruVN6wLi2Gp2E6DIz+w33eXVD416PHTsz5TVqOAO OPv1SCausa2i9gMhMtKqWjVAOdJaoJzK7BENKyzn80wuJsp6YDaYMwxe51hScAYMy9vu FZzaQg2aYthQxGQYvDYKNhy/zkv2Fjet8ZEqbq4PRV1CtD0rRAA8LKU0D83DZ6oIEEWZ PoBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766362956; x=1766967756; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=2sD4hUVC58wHYj0/TBqBKJe071NUQ0n28qUzgcUEIws=; b=gazh4iIIQ8lWzATNcwoJtSZBBtD9PnZOBdvKo7s7yzEGS8mClTCLkgGCRvz8aMkrv1 /c/jJj2GbreMycAtmJYymsoNSswFdrXYjeTPbvTDjVDs9tNnL8k2mTZMmoCp7qjHuRqk PIOFm4pdJT6MpJUDF0Ioq91/4c87g1jmG5WeF41A2ZJJQJYfNaFuePen4uGqXFlGhego nt2qVfIo7FATCA285lLOzPwvjGWY/2mAeuxev8CUqkGAhbbw/luMmentUvqFqEsz716P CcdyHPaqj1ZnJd4h0+kLb+qvkFlMU611xjuAWj0tw9kWDaa89sDqmfu8gwfTCTnyQMZJ iLFw== X-Forwarded-Encrypted: i=1; AJvYcCVFebs/gcjYAVsHXDw8ElpM/TvU9KuZAgrWOYEU8B6VE49cGgclYwbsD4AlmUyEpoCI3LieD4Mltz5ZPZg=@vger.kernel.org X-Gm-Message-State: AOJu0YwH3JKChpOinLJLIVyM2wtKq3AqVcdeGe+k4BPdz/Jp3Rcte1p6 FAmb4wF/mIYGAmJgWtz5UNc6Nm9SBpaFBp6TZik9+cerQfNJa3nTY6MY X-Gm-Gg: AY/fxX4kdsnPLOf5kdF/v2oZkS6C2NHBeo5Klf40CeaX1Rww08nVl/0ERblG5NjpHxj csPp2+9q7dglVDcnkmC9mb8CKxThdcBZuW5ci8crm4zjxSmWFuXqKC4UCmMar+Kqp5jljcmnPJr y9W9CAfC6SNyFnaRFcyjJlKMptlR6EJk2d6V+pDmwogN8YZEKc2d3mhX9xiowrNfZMGW+iBIGj/ KIYgqQWX1Ce8h9tPUXV5MI3eoRmuNEGKaRBRhs8YFxZ4FuJZdW0K46x+gt22IH/DGxNlmsWb2Ns 64kogDbl3hE0Trgyqy9fvuCOVV0Ne4BZxqMaHtsoVz0LSM3oSn/E1J2t6FJmjrCV1dWFmqTgtRl 6jq0ata+pJNFSa8WrBEDX2qgxGJuX2PKDd9ifK8SbGppubn82F0p8A/6MnsxSUVXBVBLBvFl/r2 317/uOBUZ8yzOdbaIBKw/mslr3FznTpl8lDT4WMVb1qYe5qxfy9EaLdvg272ER5+5yrv22hxmmk t0hXk+Uy3ebOM62+GmyDuM+/KfzHZBqMiEg0BDBzg== X-Google-Smtp-Source: AGHT+IHJJ3JeIp8QgT4PSUJx2el1EjjLL4jxtW3NEah7Hx+ksV/qcNiIL623TmA/6StQrVFzV1obAg== X-Received: by 2002:a05:620a:19a1:b0:8b2:e3c1:24b7 with SMTP id af79cd13be357-8bee79b99cdmr1940287985a.29.1766362956118; Sun, 21 Dec 2025 16:22:36 -0800 (PST) Received: from seungjin-HP-ENVY-Desktop-TE02-0xxx.dartmouth.edu ([129.170.197.82]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c095b79b32sm708874785a.0.2025.12.21.16.22.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 21 Dec 2025 16:22:35 -0800 (PST) From: pip-izony To: Mauro Carvalho Chehab Cc: Seungjin Bae , Kyungtae Kim , Sanghoon Choi , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame() Date: Sun, 21 Dec 2025 19:20:20 -0500 Message-ID: <20251222002019.882867-2-eeodqql09@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Seungjin Bae The `ttusb_dec_process_urb_frame()` parses the PVA packet from the USB device. However, it doesn't check whether the calculated `packet_payload_length` exceeds the size of the `packet` buffer. The `packet` buffer has a fixed size of `MAX_PVA_LENGTH + 4`. However, `packet_payload_length` is derived from 2 bytes of the input data, allowing a maximum value of 65543 bytes (8 + 0xFFFF). If a malicious USB device sends a packet with crafted data, it triggers a heap buffer overflow. This allows an attacker to overwrite adjacent fields in the `struct ttusb_dec`. Specifically, the `a_pes2ts` field, which contains a callback function pointer, is located after the `packet` buffer. Overwriting this pointer can lead to control flow hijacking. Fix this by adding a bounds check for the parsed length against the buffer size. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Co-developed-by: Sanghoon Choi Signed-off-by: Sanghoon Choi Signed-off-by: Seungjin Bae --- drivers/media/usb/ttusb-dec/ttusb_dec.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/tt= usb-dec/ttusb_dec.c index b4575fe89c95..77452ff2522f 100644 --- a/drivers/media/usb/ttusb-dec/ttusb_dec.c +++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c @@ -703,10 +703,18 @@ static void ttusb_dec_process_urb_frame(struct ttusb_= dec *dec, u8 *b, =20 if (dec->packet_type =3D=3D TTUSB_DEC_PACKET_PVA && dec->packet_length =3D=3D 8) { - dec->packet_state++; - dec->packet_payload_length =3D 8 + + int len =3D 8 + (dec->packet[6] << 8) + dec->packet[7]; + + if (len > MAX_PVA_LENGTH + 4) { + printk("%s: packet too long - discarding\n", + __func__); + dec->packet_state =3D 0; + } else { + dec->packet_state++; + dec->packet_payload_length =3D len; + } } else if (dec->packet_type =3D=3D TTUSB_DEC_PACKET_SECTION && dec->packet_length =3D=3D 5) { --=20 2.43.0