From nobody Sat Feb 7 17:19:51 2026 Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com [209.85.222.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D999165F16 for ; Tue, 23 Dec 2025 01:01:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766451715; cv=none; b=qP2UsV/B52ikWXgRc8MHDV82H9kSSBfOmeYvtXBuml9cKQJMQ1UlKu3YcWyLxQA/bCiRs9kSTkrnGFTmGV2SR+XS6/BGMZUExfq91dsYdK7RidI1fP/rP3jAr7fki79b8UEOzgYv8jh+taDG0nDIfbZTpq2R7RJg0d9pUBjjYmo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766451715; c=relaxed/simple; bh=j663USGjWVhONMnd0T5IsNIHlfEp8/azw3aIm5LkJEI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=J0fJcnigV6z5juwpU0jEmliZnauEgSqatT65we24RxEnnL/STeek8OmKuO2JSr23+lf7+1umxlr6Q3Kcad5wsPCS39MNn+h/JYshSqSWiGi7CAM4FOufMNljhi51FcMtT5YP4jjkrgn0HhPdTRcFDds6k76fZMF2c6mLKUt8ZAs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fzoKlhS4; arc=none smtp.client-ip=209.85.222.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fzoKlhS4" Received: by mail-qk1-f169.google.com with SMTP id af79cd13be357-8bb6a27d390so276924385a.3 for ; Mon, 22 Dec 2025 17:01:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766451713; x=1767056513; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fEen2/5FcL6WBLFu+QRzxg1hF1FqbpgsPgShftLpwMo=; b=fzoKlhS4ffWD3LtjZihBjFa4+KCrE/5XEPGvpJ6kU4In8CNWfhNVjl6FtC7nViHND/ T+JqxOvJ5FzIMIIVE56R5MrmXAT+bgobtiCdRcbOhaWQh3/F429TMwq6vZQy3ziZTRRz PkUT9x5MhCfQaCdbvwefMAi50mcpbmm25lSpqaEQNrRiagB4WhFyRw7KNz08ALO/NCs7 fZHhqn5KA713U4OpV4AiJSCRYU5rwEL1sPg51CCQu7qyzEAxraeZeVRq41tPg0OLpAIW SiCDa/m1tksSqyW2OGjsTa6K4C2Kx+Ir5mSZMQi//g0D1KP9wTuw7Gs3LfEPGzwrHanA LrvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766451713; x=1767056513; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=fEen2/5FcL6WBLFu+QRzxg1hF1FqbpgsPgShftLpwMo=; b=F7j/6ZvjPGm6bvc/YpEqc5AmbNvIhfd4JHZZLhSB7hm+guNsm0+19zOG2K59Y43Qdd arNZndgzT31c/TLKStJ3Ur9zoXODDCQjQDp7V1NrI2gU+eEmwyKPuUpjsp71mce5f1iH fkNmCMOG7dT+hISSam0beVIj2g4qu4WTy7ZkzfTVVe0WxABnmB2tIsoGuOwl7Wi5fDAs F8mii9xh7VYpIQyGl6ZtsIHedcEXtfqUPMN+H5pVZVnph5sE/fKiZ5gucltVi/Rj0KFW 7IViUhWETV2iCXYSsaZWJSiWWf9frZKpo7IsaeqUwj4IyhyvTnNcqQS2qBzNfz5kDEaZ IikQ== X-Forwarded-Encrypted: i=1; AJvYcCVbvGfIEntMP3kiHnGhK8wJ2Vm9hUiJ09g145pdlvigRDvosJKIwht8xpMpEOP46VpTv74ZKftY/pF7vno=@vger.kernel.org X-Gm-Message-State: AOJu0YyGrPXklbrJZ04LY9Tk6bkR/bJexU4YJQh0BVyZOK7CaZ5yc9/k dP5gi9o0QsZQEfpjaJU4p0BUtVb4UXoEu+eljNx+cscJvD6xd/5+y7K7 X-Gm-Gg: AY/fxX4f+q72cUgFt1T0DAdayz86Y4VPLBeP5PQJ5pZNzvd3fPFfO985twjZ4yQrYe3 LqfDqRjVUfeMcl10ecdpXbIw8mXjEZuL0yqaCUb1yQHYYUBc2vLrArXX62piYt5eUAtuEYxSP7e R8qrsllNpxOPH9kGuia2QHMa/Hp+zhkj2bBoCZgDYZ0Yx5ORjRS4CcY7y1aeNRpVTmK0WWodtuO 6Nk0K8gxLZvB/IjuL0MLiw+xHmANGYL4usFj2DE53Sv9eNQIoOR5VHMdDBjmWPod23BCXiiPPCd uLcNtKK+EzP7VIUrlU0wWqDJwcIWvls+daonKbelQgeTrT5nv5k5Dkqz0gbqpy+189iRfiWCIYA VlRhqRcIl5z2AFUtvlRhC8Lwdd+/BqI4+f7Bg0jS5WVv/SPX0eSxAwHqQNHLGLRNpfzX4M1ZtPU BcjQOjteY7eCMLqamVm31b2R2ohXx/SuN76ZpODXE5ZBwHD7wL6/AoOJF6BH13uEDZXBpXI1UjP srXA+7Ih2lworhj/OPPBspjqMV0PaKAw4fcOXahLg== X-Google-Smtp-Source: AGHT+IFfzGvqWJVUMQfEIWB6QgfHRl+644mdlee0mooq8P1uy7kvYwI4z1xExaEW9uSutL4xtfXBIQ== X-Received: by 2002:a05:620a:1906:b0:849:d117:e86a with SMTP id af79cd13be357-8c08ff20880mr1926612085a.59.1766451712852; Mon, 22 Dec 2025 17:01:52 -0800 (PST) Received: from seungjin-HP-ENVY-Desktop-TE02-0xxx.dartmouth.edu ([129.170.197.82]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c0971ed974sm950786785a.30.2025.12.22.17.01.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Dec 2025 17:01:52 -0800 (PST) From: pip-izony To: Mauro Carvalho Chehab Cc: Seungjin Bae , Kyungtae Kim , Sanghoon Choi , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame() Date: Mon, 22 Dec 2025 20:01:22 -0500 Message-ID: <20251223010121.1142862-2-eeodqql09@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251222054644.938208-2-eeodqql09@gmail.com> References: <20251222054644.938208-2-eeodqql09@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Seungjin Bae The `ttusb_dec_process_urb_frame()` parses the PVA packet from the USB device. However, it doesn't check whether the calculated `packet_payload_length` exceeds the size of the `packet` buffer. The `packet` buffer has a fixed size of `MAX_PVA_LENGTH + 4`. However, `packet_payload_length` is derived from 2 bytes of the input data, allowing a maximum value of 65543 bytes (8 + 0xFFFF). If a malicious USB device sends a packet with crafted data, it triggers a heap buffer overflow. This allows an attacker to overwrite adjacent fields in the `struct ttusb_dec`. Specifically, the `a_pes2ts` field, which contains a callback function pointer, is located after the `packet` buffer. Overwriting this pointer can lead to control flow hijacking. Fix this by adding a bounds check for the parsed length against the buffer size. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Co-developed-by: Sanghoon Choi Signed-off-by: Sanghoon Choi Signed-off-by: Seungjin Bae --- v1 -> v2: Change warning function v2 -> v3: Add missing comma in the dev_warn argument =20 drivers/media/usb/ttusb-dec/ttusb_dec.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/tt= usb-dec/ttusb_dec.c index b4575fe89c95..0e983783e787 100644 --- a/drivers/media/usb/ttusb-dec/ttusb_dec.c +++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c @@ -703,10 +703,19 @@ static void ttusb_dec_process_urb_frame(struct ttusb_= dec *dec, u8 *b, =20 if (dec->packet_type =3D=3D TTUSB_DEC_PACKET_PVA && dec->packet_length =3D=3D 8) { - dec->packet_state++; - dec->packet_payload_length =3D 8 + + int len =3D 8 + (dec->packet[6] << 8) + dec->packet[7]; + + if (len > MAX_PVA_LENGTH + 4) { + dev_warn(&dec->udev->dev, + "%s: packet too long - discarding\n", + __func__); + dec->packet_state =3D 0; + } else { + dec->packet_state++; + dec->packet_payload_length =3D len; + } } else if (dec->packet_type =3D=3D TTUSB_DEC_PACKET_SECTION && dec->packet_length =3D=3D 5) { --=20 2.43.0