From nobody Sun Apr 5 13:05:44 2026 Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 50BED37B023 for ; Tue, 24 Mar 2026 01:55:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774317350; cv=none; b=Wkc5enOAJJCxqPvoA4wt+HpjKUlIZaBWx1S/fWixceugotAffYoT7R9DoDAfilXXu27bEr19wNc329yv3ZENm/03trxGmrrL1s3XGSC4xidw0JOxOCpxnWXI5SlZ4d61U0a1vdaqmWkldIrmnalDKNS831XhjvqrIzqwn6QqPQc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774317350; c=relaxed/simple; bh=JAmtHZt+i8fAEau+uDnuiufAN/CVFZtpCZ5Dsp1wVvE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=FWV7bMJJFMwRy0OvtQ3YBpgbt/Tj9hsDGECC4tDLj8hDlSlzKBWODcg7PPpFBMl2r0uQW8FA0ZDsaV5HQPuCbPf86M8+WT3Ra6NiK2U5SUo8dmgQfpCr+y6cGoPEfBp4kaYQaO5bVg8QQVb+HjRKuxKZn3Z4GHiTymo8l9sU1HI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=j4XLOaHu; arc=none smtp.client-ip=209.85.215.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="j4XLOaHu" Received: by mail-pg1-f171.google.com with SMTP id 41be03b00d2f7-c741db5d610so1402788a12.3 for ; Mon, 23 Mar 2026 18:55:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774317346; x=1774922146; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=xLM6YKJgxLhPQDfQX2m4g/wult9s4kqFfxzN0AZd8EI=; b=j4XLOaHuhZ2iTswdI9GuXJ9IKVneqnM9QgyaYLvukmWdRwQJTM7uisKuy1sjEs4DlD P2Te6ClQiLOqIaIejfv67VTzB6Qgz018iat3DOljC1DU4QagGm2hq2ZAa65ka3Hrp69u FBh5FcmB4Nt4T18XBZzM2nD2qg7NeZA9qe3sbKS0D2OVlTNm9kEor/ooVr6LSUjeKIx0 FBNocZrTwYStQOcKFYcKNCjHRcHddsadljs2mSSV5jfqwb46tCC5ELZNQBZrB1y7c9BV 9xLB1N3UhXofCFiAJ0hM/KIvy1S60pGqxqL535mmOy2aIYrLO7Go0ccSFCt5dk0thWMC E9sQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774317346; x=1774922146; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xLM6YKJgxLhPQDfQX2m4g/wult9s4kqFfxzN0AZd8EI=; b=TPY5VeLqwFrcug7a8V0KdV05uhhZCUdJIsY0n845q8s9RYLXfRqdWTI8qQb264itPT Bji2rU9ujxiL1OFSxjrv1jx59etSXSZN5W9CEe9dZog+sayMd2nMZA+vHtqN1UgeHv69 uFbzSDdPOFYqls4wSaBGdCSHNJC7KXkz4sHaA6FtWMykSAYe0nu6eZxH5ERsWDbxz3UO 8zTS2mpsfYxM0Pc4zrBEAlmaSijqGn5vC+ZsGjG3MBV69VVXX6RNUsCSWFzc4lI+CvTC LJ3ilYS76Nm7ZwpGiUden3BCTl0ladfezmr0O0LhfPExDXzl9mV6dRb8f3sKL554VQ56 7GRQ== X-Forwarded-Encrypted: i=1; AJvYcCW2KZS2ntvxYUDFk/u5LrbVf6XNXSOF6qcl+cNkMt+hkv1jov1QH69Tzc/2BOqFnTFkS0znos3BDILThoU=@vger.kernel.org X-Gm-Message-State: AOJu0YxaK3x81MRqNU8zA02QgY3Hf1GjOI9eavf9Tb0XI90ZyVHgztne iavTvWde7bC1dv8J0h/7noP1lDg/ksPnjk0WDw8LjB61a5JvS3kD0ey1 X-Gm-Gg: ATEYQzwsOqkMfEzJy9Epecw1F0nhsxO9Tkcov0wwkg6/8KoWtv6m4bs4mIejVx+NvNG qsHVdlXj47WTaJOoCjMzi/zs/8ZRJf0B79uT1ns+bDKcvUUstv3MHjN2uxFdxfj8t5DsDjXWYF6 ILE1uchJ98BSPSCluhN4/fof8jmWr6lerb2WMbGHDHFQd5+ZL5FagHPLftdko8Pb4dLzZEzuku5 PYvyExfFR0lhGhGzTCGM6DZ8rL5UnFyqFH57O0VrgiG1xH/CxDOoLULuFp9R4iaK64TlWNM07XR sKRgpiRa+rdDl2sx/qYucViyvMlrI+Iow2h82GnCFk9FlMtqyiudEEHoMjhYDlvxxRTu1M5Ksgf xedb1hg9eaojrjNWRwsYCHzpbImH4dj38ly213wo1wzpmOapWdAtSEVf2q/LCrgixWOsY8R0U3u QJJ8jsvAiZcwJUvD+cxZraw/vHjpKUWYXAg0co2PlRh9Py/lc3RdDqvY4lfsGzMJKWixbXP5YYF TzpqA== X-Received: by 2002:a17:903:b0e:b0:2b0:4b3a:9b49 with SMTP id d9443c01a7336-2b082820d55mr126297125ad.51.1774317346318; Mon, 23 Mar 2026 18:55:46 -0700 (PDT) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:389d:62d5:79a:7a92:c774]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b083527f90sm121657735ad.19.2026.03.23.18.55.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Mar 2026 18:55:45 -0700 (PDT) From: Deepanshu Kartikey To: mchehab@kernel.org Cc: harperchen1110@gmail.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Deepanshu Kartikey , stable@vger.kernel.org, syzbot+64485d3659c4c07111b4@syzkaller.appspotmail.com Subject: [PATCH v2] media: ec168: fix slab-out-of-bounds in ec168_i2c_xfer Date: Tue, 24 Mar 2026 07:25:39 +0530 Message-ID: <20260324015539.1451660-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The WRITE_DEMOD path in ec168_i2c_xfer() checks msg[i].len < 1 before accessing the buffer, but then reads both buf[0] (register) and buf[1] (value). If userspace supplies a 1-byte I2C message, the read of buf[1] goes out of bounds, triggering a KASAN slab-out-of-bounds error. Fix by checking msg[i].len < 2 and returning -EOPNOTSUPP if the buffer is too short to contain both register and value bytes. Fixes: a6dcefcc08ec ("media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168= _i2c_xfer()") Cc: stable@vger.kernel.org Reported-by: syzbot+64485d3659c4c07111b4@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D64485d3659c4c07111b4 Tested-by: syzbot+64485d3659c4c07111b4@syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey --- Changes in v2: - Fix author email case (Kartikey406 -> kartikey406) - Add Cc: stable@vger.kernel.org as the Fixes tag points to a commit present in the stable tree --- drivers/media/usb/dvb-usb-v2/ec168.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb-v2/ec168.c b/drivers/media/usb/dvb-u= sb-v2/ec168.c index 973b32356b17..ebfb02826b20 100644 --- a/drivers/media/usb/dvb-usb-v2/ec168.c +++ b/drivers/media/usb/dvb-usb-v2/ec168.c @@ -135,7 +135,7 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, str= uct i2c_msg msg[], } } else { if (msg[i].addr =3D=3D ec168_ec100_config.demod_address) { - if (msg[i].len < 1) { + if (msg[i].len < 2) { i =3D -EOPNOTSUPP; break; } --=20 2.43.0