mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-27 04:47:05 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Baisong Zhong 6fbc44731a media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() 
[ Upstream commit 0ed554fd76 ]

Wei Chen reports a kernel bug as blew:

general protection fault, probably for non-canonical address
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
...
Call Trace:
<TASK>
__i2c_transfer+0x77e/0x1930 drivers/i2c/i2c-core-base.c:2109
i2c_transfer+0x1d5/0x3d0 drivers/i2c/i2c-core-base.c:2170
i2cdev_ioctl_rdwr+0x393/0x660 drivers/i2c/i2c-dev.c:297
i2cdev_ioctl+0x75d/0x9f0 drivers/i2c/i2c-dev.c:458
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd834a8bded

In az6027_i2c_xfer(), if msg[i].addr is 0x99,
a null-ptr-deref will caused when accessing msg[i].buf.
For msg[i].len is 0 and msg[i].buf is null.

Fix this by checking msg[i].len in az6027_i2c_xfer().

Link: https://lore.kernel.org/lkml/CAO4mrfcPHB5aQJO=mpqV+p8mPLNg-Fok0gw8gZ=zemAfMGTzMg@mail.gmail.com/

Link: https://lore.kernel.org/linux-media/20221120065918.2160782-1-zhongbaisong@huawei.com
Fixes: 76f9a820c8 ("V4L/DVB: AZ6027: Initial import of the driver")
Reported-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-12-31 13:26:03 +01:00
..
accessibility speakup: replace utils' u_char with unsigned char 2022-11-26 09:27:45 +01:00
acpi ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() 2022-12-31 13:25:46 +01:00
amba
android binder: validate alloc->mm in ->mmap() handler 2022-12-02 17:42:59 +01:00
ata ata: libata: fix NCQ autosense logic 2022-12-31 13:25:50 +01:00
atm
auxdisplay
base regmap-irq: Use the new num_config_regs property in regmap_add_irq_chip_fwnode 2022-12-31 13:25:56 +01:00
bcma
block drbd: destroy workqueue when drbd device was freed 2022-12-31 13:26:02 +01:00
bluetooth Bluetooth: btusb: Add debug message for CSR controllers 2022-12-14 11:40:52 +01:00
bus bus: ixp4xx: Don't touch bit 7 on IXP42x 2022-12-02 17:43:11 +01:00
cdrom
char ipmi: kcs: Poll OBF briefly to reduce OBE latency 2022-12-31 13:25:50 +01:00
clk clk: imx8mn: fix imx8mn_enet_phy_sels clocks list 2022-12-31 13:26:02 +01:00
clocksource clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock() 2022-12-31 13:25:46 +01:00
comedi
connector
counter counter: 104-quad-8: Fix race getting function mode and direction 2022-11-04 00:00:23 +09:00
cpufreq cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() 2022-12-31 13:25:45 +01:00
cpuidle cpuidle: dt: Return the correct numbers of parsed idle states 2022-12-31 13:25:42 +01:00
crypto crypto: ccp - Add a quirk to firmware update 2022-12-14 11:40:50 +01:00
cxl cxl/pmem: Use size_add() against integer overflow 2022-11-26 09:27:21 +01:00
dax devdax: Fix soft-reservation memory description 2022-09-24 18:05:53 -07:00
dca
devfreq
dio
dma dmaengine: at_hdmac: Check return code of dma_async_device_register 2022-11-16 10:04:14 +01:00
dma-buf dma-buf: Use dma_fence_unwrap_for_each when importing fences 2022-12-02 17:43:10 +01:00
edac EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() 2022-12-31 13:25:44 +01:00
eisa
extcon
firewire
firmware firmware: ti_sci: Fix polled mode during system suspend 2022-12-31 13:25:36 +01:00
fpga fpga: m10bmc-sec: Fix kconfig dependencies 2022-12-02 17:43:12 +01:00
fsi fsi: master-ast-cf: Fix missing of_node_put in fsi_master_acf_probe 2022-10-21 12:39:26 +02:00
gnss
gpio gpio/rockchip: fix refcount leak in rockchip_gpiolib_register() 2022-12-14 11:41:02 +01:00
gpu drm/i915/guc: make default_lists const data 2022-12-31 13:26:01 +01:00
greybus
hid HID: hid-sensor-custom: set fixed size for custom attributes 2022-12-31 13:26:00 +01:00
hsi HSI: ssi_protocol: fix potential resource leak in ssip_pn_open() 2022-10-21 12:39:23 +02:00
hte
hv Drivers: hv: vmbus: fix possible memory leak in vmbus_device_register() 2022-12-02 17:43:06 +01:00
hwmon hwmon: (asus-ec-sensors) Add checks for devm_kcalloc 2022-12-08 11:30:18 +01:00
hwspinlock hwspinlock: qcom: correct MMIO max register for newer SoCs 2022-11-16 10:03:50 +01:00
hwtracing coresight: cti: Fix hang in cti_disable_hw() 2022-11-04 00:00:22 +09:00
i2c i2c: imx: Only DMA messages with I2C_M_DMA_SAFE flag set 2022-12-08 11:30:21 +01:00
i3c
idle
iio iio: light: rpr0521: add missing Kconfig dependencies 2022-12-08 11:30:14 +01:00
infiniband RDMA/efa: Add EFA 0xefa2 PCI ID 2022-11-26 09:27:18 +01:00
input Input: elants_i2c - properly handle the reset GPIO when power is off 2022-12-31 13:25:59 +01:00
interconnect
iommu iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() 2022-12-08 11:30:21 +01:00
ipack
irqchip irqchip/loongson-liointc: Fix improper error handling in liointc_init() 2022-12-31 13:25:44 +01:00
isdn mISDN: fix misuse of put_device() in mISDN_register_device() 2022-11-26 09:27:35 +01:00
leds leds: lm3601x: Don't use mutex after it was destroyed 2022-10-21 12:38:02 +02:00
macintosh
mailbox mailbox: pcc: Reset pcc_chan_count to zero in case of PCC probe failure 2022-12-31 13:25:43 +01:00
mcb
md dm: track per-add_disk holder relations in DM 2022-12-31 13:25:59 +01:00
media media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() 2022-12-31 13:26:03 +01:00
memory memory: renesas-rpc-if: Clear HS bit during hardware initialization 2022-12-31 13:25:36 +01:00
memstick
message
mfd mfd: da9061: Fix Failed to set Two-Wire Bus Mode. 2022-10-21 12:38:52 +02:00
misc misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() 2022-11-26 09:27:51 +01:00
mmc mmc: sdhci: Fix voltage switch delay 2022-12-08 11:30:20 +01:00
most
mtd mtd: maps: pxa2xx-flash: fix memory leak in probe 2022-12-31 13:26:02 +01:00
mux
net bonding: fix link recovery in mode 2 when updelay is nonzero 2022-12-31 13:26:01 +01:00
nfc nfc: st-nci: fix incorrect sizing calculations in EVT_TRANSACTION 2022-12-02 17:43:09 +01:00
ntb
nubus
nvdimm Merge branch 'for-6.0/dax' into libnvdimm-fixes 2022-09-24 18:14:12 -07:00
nvme nvme: return err on nvme_init_non_mdts_limits fail 2022-12-31 13:25:58 +01:00
nvmem nvmem: rmem: Fix return value check in rmem_read() 2022-12-08 11:30:15 +01:00
of of: property: decrement node refcount in of_fwnode_get_reference_args() 2022-12-08 11:30:15 +01:00
opp
parisc parisc: Export iosapic_serial_irq() symbol for serial port driver 2022-11-10 18:17:35 +01:00
parport parport_pc: Avoid FIFO port location truncation 2022-11-26 09:27:30 +01:00
pci PCI: mt7621: Add sentinel to quirks table 2022-12-21 17:41:11 +01:00
pcmcia
peci
perf drivers/perf: hisi: Fix some event id for hisi-pcie-pmu 2022-12-31 13:25:40 +01:00
phy phy: qcom-qmp-combo: fix NULL-deref on runtime resume 2022-11-16 10:04:09 +01:00
pinctrl pinctrl: pinconf-generic: add missing of_node_put() 2022-12-31 13:26:03 +01:00
platform platform/mellanox: mlxbf-pmc: Fix event typo 2022-12-31 13:25:48 +01:00
pnp PNP: fix name memory leak in pnp_alloc_dev() 2022-12-31 13:25:43 +01:00
power power: supply: ab8500: Defer thermal zone probe 2022-12-02 17:43:02 +01:00
powercap powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue 2022-10-21 12:39:04 +02:00
pps
ps3
ptp
pwm
rapidio rapidio: devices: fix missing put_device in mport_cdev_open 2022-12-31 13:25:48 +01:00
ras
regulator regulator: core: use kfree_const() to free space conditionally 2022-12-31 13:26:01 +01:00
remoteproc remoteproc: Harden rproc_handle_vdev() against integer overflow 2022-10-21 12:38:45 +02:00
reset reset: npcm: fix iprst2 and iprst4 setting 2022-09-22 17:48:35 +02:00
rpmsg rpmsg: char: Avoid double destroy of default endpoint 2022-10-21 12:37:53 +02:00
rtc rtc: cmos: fix build on non-ACPI platforms 2022-12-19 12:41:01 +01:00
s390 s390/qeth: fix use-after-free in hsci 2022-12-14 11:41:06 +01:00
sbus
scsi scsi: iscsi: Fix possible memory leak when device_register() failed 2022-12-02 17:43:16 +01:00
sh
siox siox: fix possible memory leak in siox_device_add() 2022-11-26 09:27:30 +01:00
slimbus slimbus: stream: correct presence rate frequencies 2022-11-26 09:27:45 +01:00
soc soc: apple: rtkit: Stop casting function pointer signatures 2022-12-31 13:25:40 +01:00
soundwire soundwire: intel: Initialize clock stop timeout 2022-12-14 11:40:51 +01:00
spi spi: mediatek: Fix DEVAPC Violation at KO Remove 2022-12-14 11:40:46 +01:00
spmi spmi: pmic-arb: correct duplicate APID to PPID mapping logic 2022-10-21 12:38:53 +02:00
ssb
staging media: imx: imx7-media-csi: Clear BIT_MIPI_DOUBLE_CMPNT for <16b formats 2022-12-31 13:26:02 +01:00
target scsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus() 2022-11-26 09:27:53 +01:00
tc
tee tee: optee: fix possible memory leak in optee_register_device() 2022-12-02 17:43:03 +01:00
thermal thermal: core: fix some possible name leaks in error paths 2022-12-31 13:25:44 +01:00
thunderbolt thunderbolt: Add DP OUT resource when DP tunnel is discovered 2022-11-16 10:03:48 +01:00
tty Revert "tty: n_gsm: replace kicktimer with delayed_work" 2022-12-02 17:43:14 +01:00
ufs
uio
usb usb: musb: remove extra check in musb_gadget_vbus_draw 2022-12-31 13:25:34 +01:00
vdpa vdpa/mlx5: Fix MQ to support non power of two num queues 2022-09-27 18:32:45 -04:00
vfio vfio: Split the register_device ops call into functions 2022-11-26 09:27:52 +01:00
vhost vhost/vsock: Use kvmalloc/kvfree for larger packets. 2022-10-21 12:38:19 +02:00
video fbcon: Use kzalloc() in fbcon_prepare_logo() 2022-12-14 11:40:48 +01:00
virt virt/sev-guest: Add a MODULE_ALIAS 2022-12-31 13:25:56 +01:00
virtio
vlynq
w1
watchdog
xen xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() 2022-12-31 13:25:46 +01:00
zorro
Kconfig
Makefile