drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
syzbot report a corrupted list in az6007_i2c_xfer. [1]
Before accessing the member data of the struct az6007_device_state, only
the lower boundary of data is checked, but the upper boundary is not checked.
When the value of msgs[i].len is damaged or too large, it will cause out
of bounds access to st->data.
[1]
UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30
index 4096 is out of range for type 'unsigned char [4096]'
CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full)
Call Trace:
<TASK>
az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821
i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343
i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155
do_loop_readv_writev fs/read_write.c:833 [inline]
do_preadv+0x1af/0x270 fs/read_write.c:1130
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..6322894eda27 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -806,7 +806,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
if (az6007_xfer_debug)
printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
addr, msgs[i].len);
- if (msgs[i].len < 1) {
+ if (msgs[i].len < 1 ||
+ msgs[i].len > ARRAY_SIZE(st->data) - 5) {
ret = -EIO;
goto err;
}
--
2.43.0On 21/04/2025 16:31, Edward Adam Davis wrote:
> syzbot report a corrupted list in az6007_i2c_xfer. [1]
>
> Before accessing the member data of the struct az6007_device_state, only
> the lower boundary of data is checked, but the upper boundary is not checked.
> When the value of msgs[i].len is damaged or too large, it will cause out
> of bounds access to st->data.
>
> [1]
> UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30
> index 4096 is out of range for type 'unsigned char [4096]'
> CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full)
> Call Trace:
> <TASK>
> az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821
> i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343
> i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155
> do_loop_readv_writev fs/read_write.c:833 [inline]
> do_preadv+0x1af/0x270 fs/read_write.c:1130
> do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
>
> Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
> index 65ef045b74ca..6322894eda27 100644
> --- a/drivers/media/usb/dvb-usb-v2/az6007.c
> +++ b/drivers/media/usb/dvb-usb-v2/az6007.c
> @@ -806,7 +806,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
> if (az6007_xfer_debug)
> printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
> addr, msgs[i].len);
> - if (msgs[i].len < 1) {
> + if (msgs[i].len < 1 ||
> + msgs[i].len > ARRAY_SIZE(st->data) - 5) {
Hmm, shouldn't this be '- 6'? Since a few lines below this the length passed
to __az6007_read is msgs[i].len + 6.
Regards,
Hans
> ret = -EIO;
> goto err;
> }
Hi Edward,
As I am currently trying over there:
https://syzkaller.appspot.com/text?tag=Patch&x=10f3ac70580000, I think
we also have a race condition related to the disconnection of the usb
device.
What do you think ?
Arnaud
On 21/04/2025 16:31, Edward Adam Davis wrote:
> syzbot report a corrupted list in az6007_i2c_xfer. [1]
>
> Before accessing the member data of the struct az6007_device_state, only
> the lower boundary of data is checked, but the upper boundary is not checked.
> When the value of msgs[i].len is damaged or too large, it will cause out
> of bounds access to st->data.
>
> [1]
> UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30
> index 4096 is out of range for type 'unsigned char [4096]'
> CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full)
> Call Trace:
> <TASK>
> az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821
> i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343
> i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155
> do_loop_readv_writev fs/read_write.c:833 [inline]
> do_preadv+0x1af/0x270 fs/read_write.c:1130
> do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
>
> Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
> index 65ef045b74ca..6322894eda27 100644
> --- a/drivers/media/usb/dvb-usb-v2/az6007.c
> +++ b/drivers/media/usb/dvb-usb-v2/az6007.c
> @@ -806,7 +806,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
> if (az6007_xfer_debug)
> printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
> addr, msgs[i].len);
> - if (msgs[i].len < 1) {
> + if (msgs[i].len < 1 ||
> + msgs[i].len > ARRAY_SIZE(st->data) - 5) {
> ret = -EIO;
> goto err;
> }
© 2016 - 2026 Red Hat, Inc.