From nobody Sun Apr 5 16:40:49 2026 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D3CC5194098 for ; Tue, 24 Mar 2026 00:15:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774311333; cv=none; b=OagivSQkjchaeVudn+ZW0dvWGNvlB4pBCLfYfyocGa3OPIP45/nt6Xwoyf51k3OZAwGrb7nqPghDsGDZEfPbzVuyRt6IpaMbWDCxZUypEOeeJO3t9Jxe7n+3vuwQscOxaWZ2OwBmvkMrDmWcBqRMA2JEKprS3/LQEQRCw8puKrc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774311333; c=relaxed/simple; bh=0XnIeuoBL9/zpFJ9cjYmpYoAHPbJ65gaVNc4WrpxdSs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=EBMGlIws8gEfMyOuD7a0LaWVpgWCeg4D2xJCChCpYgTwHsoxjP2OFwkYel1mXlD6Fq+JQxgflfN2L2vl3mRVYQfqHmsU1Vh9BXNi2qJCbI0PsfZSrevD+4VqlpZlpyxjFxqVbV2z0YkjpXPPcmDioCOyb/MqnLYNwIqH7EpxBe0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=oIODlUvH; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="oIODlUvH" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2ad4d639db3so14711775ad.0 for ; Mon, 23 Mar 2026 17:15:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774311332; x=1774916132; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Imw73KIsNf6XGciGB5JMzoOm9TnS1SfksK0UHAy+nUY=; b=oIODlUvHPYStJ46zRgCxkaII19XcypUEq8R7q56RKVAJmvw+0AUUWrXClKQtIsgFAN uMy9LQKXIQThuhb2Vc0H9tGzAV3nzTeTQTlYcI4+qUkN4/Ilzv37dXckIxtV7AEF4S/S 3dMXjIPyfghiDDba+J6Uj8Jjr/6YCEZ+Frj/mZQj2HkWZ4me9HkW1CGaWyhG+VX6LkmG YISMmAgJflFOY29WPqwU+icat/thCcmbpMm3rvPHmR5HjP23OLLc05gj2EEccNusEu6L 74gmNotVk8dBljoM6FZpC5Y7vUYZHFDv6gE0w0aoA8or0jOPeqxxQ/q25LCpbh2YLa4S IK7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774311332; x=1774916132; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Imw73KIsNf6XGciGB5JMzoOm9TnS1SfksK0UHAy+nUY=; b=IUD4OSTqagEikw1JXXf3whdtPPbk+qo3de4UOGK8i2Li3werctMdij1GwryeQValrf 5Byx842FFGxpfPptCMxYulbh8vTgTbflWWDTcCMBXQt8FNy615jD5x1PaX/1IYrpkh7t Xw3yLNXAqQ7yBOo6srIAM/4nA9VULiC2c4slzlV6yataWwzsqlFnattAsA7XRzZqRuRh k5OZbEDeG1mqlug3Q0OPf+Y/OgxJTjy16AhCeks903gFmyJrzP0ZbXdDdvFdN0uw50mB LZK/2O08Q4prc5CPxLIp5oRYhQHdDswMmj1ThLW/U7KVM26bzLbqwX3iBaWuV+9BkBh7 lfHw== X-Forwarded-Encrypted: i=1; AJvYcCUY6t3WV6Mf15aK0sHVByrtmLw1LX26rxV2jMrK+A/weTneM1peYWFhxgCeSrMFk/vyDr2ydmMlYQt7pyE=@vger.kernel.org X-Gm-Message-State: AOJu0YyM8quaMLGprPSxSPtChlA+jDUYGPZIBF/oif5e34YpcJ6N5rpb E0rM/W6lEMZPMc9AtXAVKTNDNszQsvJ2vECUeT+/PmRLCUcpgjmNxOyp77buYw== X-Gm-Gg: ATEYQzzlG32aFj8WkNZhQy20lxnDtYyo23pvMDZT6cx9h3Z8DM455Xen1F2AriJbHWR K5ZieeW6cVRFJMse3mJhooDJF/mFV0l4rS3zquLqraKd97Fl+DBXl2HxNfyoZ394NJl8/dnJSl6 1dLQ/oHuZs8I9DREJSF67ku7Omj2EX5d1wMwXYHBg0seg6b2xqXoR9VTiVKLsyCsS8+2aUj2gbt Zr8tAaYeIcUZB2fcZA4hUM0Am9N7jFCnPwFQToLxRvsu1aKhq6hnU2Szs04yBz+Y32wGUYgcZ15 q2txvP1Un4r38QItCyTJ6DBB5GtmgnCOKokRgRImwLCPs3i0ewzsoNlb2JV+0KI50wuY2gFrBWb CVZKNByy4xT8h8Z0SSuNFYxJwgZd99u0GOkaJqefb65Pp7Du9bBWqR0hLRnw9qXdAriEXjaCqih FfEFIr1Jpn3Cj9TYLNotVvd4Cjx0mYhQOeZdpSj+ngzGPmSdxstVmEMbNvzDQuQ2FaJSx3yhVM2 9u0ww== X-Received: by 2002:a17:902:cece:b0:2ae:c816:ec5d with SMTP id d9443c01a7336-2b0827a76b6mr146735815ad.32.1774311332075; Mon, 23 Mar 2026 17:15:32 -0700 (PDT) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:389d:62d5:79a:7a92:c774]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b08353e94asm121799435ad.25.2026.03.23.17.15.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Mar 2026 17:15:31 -0700 (PDT) From: Deepanshu Kartikey To: mchehab@kernel.org Cc: harperchen1110@gmail.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Deepanshu Kartikey , syzbot+64485d3659c4c07111b4@syzkaller.appspotmail.com, Deepanshu Kartikey Subject: [PATCH] media: ec168: fix slab-out-of-bounds in ec168_i2c_xfer Date: Tue, 24 Mar 2026 05:45:23 +0530 Message-ID: <20260324001523.1446434-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The WRITE_DEMOD path in ec168_i2c_xfer() checks msg[i].len < 1 before accessing the buffer, but then reads both buf[0] (register) and buf[1] (value). If userspace supplies a 1-byte I2C message, the read of buf[1] goes out of bounds, triggering a KASAN slab-out-of-bounds error. Fix by checking msg[i].len < 2 and returning -EOPNOTSUPP if the buffer is too short to contain both register and value bytes. Fixes: a6dcefcc08ec ("media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168= _i2c_xfer()") Reported-by: syzbot+64485d3659c4c07111b4@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D64485d3659c4c07111b4 Tested-by: syzbot+64485d3659c4c07111b4@syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey --- drivers/media/usb/dvb-usb-v2/ec168.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb-v2/ec168.c b/drivers/media/usb/dvb-u= sb-v2/ec168.c index 973b32356b17..ebfb02826b20 100644 --- a/drivers/media/usb/dvb-usb-v2/ec168.c +++ b/drivers/media/usb/dvb-usb-v2/ec168.c @@ -135,7 +135,7 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, str= uct i2c_msg msg[], } } else { if (msg[i].addr =3D=3D ec168_ec100_config.demod_address) { - if (msg[i].len < 1) { + if (msg[i].len < 2) { i =3D -EOPNOTSUPP; break; } --=20 2.43.0