From nobody Sat Feb 7 13:41:33 2026 Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com [209.85.222.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 647EF257851 for ; Tue, 30 Dec 2025 19:51:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767124266; cv=none; b=tBZWzNFeDWmciosgXkPJnYArFUbguHH43r1eDySLnEoEuyVfadSk53HanA74pARBa0Jzmpn7+gsDoNWPxtC6aW2bhMWTn3AV6S4zpenItQTq7uVEAms1VH4TdGXbt7z61oeQypJJeWzJre0XxKto+jPnbi+0WPbABn5gTQuGi2c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767124266; c=relaxed/simple; bh=0XXYIGJiEK0fFuyobO1OkCvR2WcDspAxEe6h9kvH/hU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=r9w6wpI4CLbPT1VZ/MYIHfrSqNkjZIPwqlH2PYqjBt17lyh9nj/+1LCmXgH9SQpFosVQH21bhjcALHRzsGusW+T5e3Yt44L/vQNgMhzVNvUa6Njr6wauTwqzPd8J9PsoJqFGJug0GSEd6l1erhDG1p58WemffnC429S8vHeCKfs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aDLsNZf4; arc=none smtp.client-ip=209.85.222.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aDLsNZf4" Received: by mail-qk1-f182.google.com with SMTP id af79cd13be357-8c0d16bb24dso763493485a.0 for ; Tue, 30 Dec 2025 11:51:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767124262; x=1767729062; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UxzOaKVIkI1DoknUROyjv6X6DFGJhZO2mGfXN0iVyxI=; b=aDLsNZf4/52dbaI1r9fdFQ46EHSuz7ywUP5B5n9umA4sLh70OqmV5XLdmDNALh3HDw WqHKaNlcXWFRymu/ULsqlTlhnPGWa0yHm5+Ss32xUXZhVJ/E25Gp0521sEq96OQ49+pq Un0rXSewGA3pUtkvATs6taVdyOU1/q1n0F8QOVagPECfQeHuYr/P0Qi+JOqPfiXzdRBt dwB48Eo3rdV91VZUMgaXy9kL1iMxoDsbI6xXDkRrctIvhJJ7cK8TG/02VVV4LRENO5ua 42i6WKc28YcnB/Y4uYUXSRwSHAL7XTvSRBe3B+I6Ok3HPJGTot55tIlBoZt3X6srEVwJ o2Bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767124262; x=1767729062; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=UxzOaKVIkI1DoknUROyjv6X6DFGJhZO2mGfXN0iVyxI=; b=Uo6dRKXh+rw+UX9nGGylrogYOfUsdz5M/+SEdqQ0PwtcYWaDSGhmtFikd/lKf3vDl+ LUuIayXiEJbhB2mWejHMoR+niAPB5yV73rpIx/shRBR/bHRI6jatK3tHAVcAW4Sb0Sr9 7+QygvPEhVLrhVnKhjksDXC8dMHd/D8owdrhoSoOPRzq8j0SuTE6xMlxnAUkmji2nwdu JkWWqz9TkZfzo8OxjKX4lv+fCbpvzUYaZNAgvW62BUgoam9Ri/A9zjgjzeS2PLLcwOnR AwUqabGxF8oLV1ru0og3TjJQiDjkSNCM4JmVdq9lrpMxfqicjAN7Wu4y0HiEGzytTPTL qjxA== X-Forwarded-Encrypted: i=1; AJvYcCV2dUt27dTQeeFmEK7BOKOoeS/woY9EZ29JWUtRBW/kymEy4JkDxogFri28/PxPkSdft6lHr49SQEKix2c=@vger.kernel.org X-Gm-Message-State: AOJu0YxVnaq90arFNzAfE4kHOSaLuker+l+O/HzEnxRbgg3MidxW4nTs URmZqV0Cc3MiyuDW3iwdayK3IigJ8FmKbL5dhET5y7VZbNmsy0sWNwDT X-Gm-Gg: AY/fxX6WXZuaD0FJkDc8DRsutIZjKeaJHclcYPLb3C2jIECtNIMXtjN6T5fBcfe63qe G5hLrTulRpF51jA21fAC90hQ0gYKJmv+JU1ogLoVVv/mD5gL5IZlWWxPYUWI1xF/0++ihBb6XJM JnsZ4YZx3+em25PV6CiPiMVzELgXwdNYlhn8LBz/laB/7uKhEF7Tqb06gyq/cVfbJeZeXBhjBM9 k3a9KQtdMRwan1irGRqG2p18v1I4CcY450N1D5pdcukdxm8TK9wNy3+H1y/7/c8QoByZYHyNti+ GpgEwpVx3EIsoAVlt0hynv5XqxC88A7hYch3jCiPBdn6Jj3p8SANung7WEb9K2dkXGBvT1HeN5C BIfS+EMSYxnE46shCxkvECPWoha6r2WbCE6XFC1hUwUcC1P7IvhYVSswolelNVt1DsGo/NJmnPk K3wdivBuek59dNO+FUKWjpNFVzvTd5tMDYqpTZiyqsNKAzrV+jeGjuG9ky7X/CkuETrt3Iw0/U0 SCpz804Qvj6zHczUPwuQYgz610JUqGdi1jvl/nr2A== X-Google-Smtp-Source: AGHT+IG5PEE92J2hWvnLLk6xG/FXOFnBNkhm7EM6Xf87wnC/TjRMOXlh8oTHEPEkUKo5M3ntVzef8g== X-Received: by 2002:a05:620a:3190:b0:8b2:d72d:e41c with SMTP id af79cd13be357-8c08f65502dmr5765068785a.5.1767124262368; Tue, 30 Dec 2025 11:51:02 -0800 (PST) Received: from seungjin-HP-ENVY-Desktop-TE02-0xxx.dartmouth.edu ([129.170.197.82]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c0975ee7d5sm2647458185a.49.2025.12.30.11.51.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Dec 2025 11:51:01 -0800 (PST) From: pip-izony To: Mauro Carvalho Chehab Cc: Seungjin Bae , Kyungtae Kim , Sanghoon Choi , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4] media: ttusb-dec: fix heap-buffer-overflow in ttusb_dec_process_urb_frame() Date: Tue, 30 Dec 2025 14:50:42 -0500 Message-ID: <20251230195041.36768-2-eeodqql09@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251223010121.1142862-2-eeodqql09@gmail.com> References: <20251223010121.1142862-2-eeodqql09@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Seungjin Bae The `ttusb_dec_process_urb_frame()` parses the PVA packet from the USB device. However, it doesn't check whether the calculated `packet_payload_length` exceeds the size of the `packet` buffer. The `packet` buffer has a fixed size of `MAX_PVA_LENGTH + 4`. However, `packet_payload_length` is derived from 2 bytes of the input data, allowing a maximum value of 65543 bytes (8 + 0xFFFF). If a malicious USB device sends a packet with crafted data, it triggers a heap buffer overflow. This allows an attacker to overwrite adjacent fields in the `struct ttusb_dec`. Specifically, the `a_pes2ts` field, which contains a callback function pointer, is located after the `packet` buffer. Overwriting this pointer can lead to control flow hijacking. Fix this by adding a bounds check for the parsed length against the buffer size. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Co-developed-by: Sanghoon Choi Signed-off-by: Sanghoon Choi Signed-off-by: Seungjin Bae --- v1 -> v2: Change warning function v2 -> v3: Add missing comma in the dev_warn argument v3 -> v4: Edit alignment =20 drivers/media/usb/ttusb-dec/ttusb_dec.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/tt= usb-dec/ttusb_dec.c index b4575fe89c95..17c7a8d5ada9 100644 --- a/drivers/media/usb/ttusb-dec/ttusb_dec.c +++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c @@ -703,10 +703,19 @@ static void ttusb_dec_process_urb_frame(struct ttusb_= dec *dec, u8 *b, =20 if (dec->packet_type =3D=3D TTUSB_DEC_PACKET_PVA && dec->packet_length =3D=3D 8) { - dec->packet_state++; - dec->packet_payload_length =3D 8 + + int len =3D 8 + (dec->packet[6] << 8) + dec->packet[7]; + + if (len > MAX_PVA_LENGTH + 4) { + dev_warn(&dec->udev->dev, + "%s: packet too long - discarding\n", + __func__); + dec->packet_state =3D 0; + } else { + dec->packet_state++; + dec->packet_payload_length =3D len; + } } else if (dec->packet_type =3D=3D TTUSB_DEC_PACKET_SECTION && dec->packet_length =3D=3D 5) { --=20 2.43.0