Commit 4195b685 authored Jul 10, 2023 by Zhang Shurong Committed by sanglipeng Mar 07, 2024

media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer

stable inclusion
from stable-v5.10.197
commit 578b67614ae0e4fba3945b66a4c8f9ae77115bcb
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I96Q8P

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=578b67614ae0e4fba3945b66a4c8f9ae77115bcb



--------------------------------

[ Upstream commit b97719a6 ]

In gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach gl861_i2c_master_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.

Similar commit:
commit 0ed554fd
("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")

Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: sanglipeng <sanglipeng1@jd.com>

parent be6a5684

drivers/media/usb/dvb-usb-v2/gl861.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -120,7 +120,7 @@ static int gl861_i2c_master_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
		} else if (num == 2 && !(msg[0].flags & I2C_M_RD) &&
		(msg[1].flags & I2C_M_RD)) {
		/* I2C write + read */
		if (msg[0].len > 1 \|\| msg[1].len > sizeof(ctx->buf)) {
		if (msg[0].len != 1 \|\| msg[1].len > sizeof(ctx->buf)) {
		ret = -EOPNOTSUPP;
		goto err;
		}