On Tue, Jul 02, 2019 at 07:49:26AM +0700, Phong Tran wrote:
> Hello,
>
> I did a checking for this report of syzbot [1]
> From the call stack of dump log:
>
> There shows that a problem within technisat_usb2_get_ir()
>
> BUG: KASAN: slab-out-of-bounds in technisat_usb2_get_ir
> drivers/media/usb/dvb-usb/technisat-usb2.c:664 [inline]
> BUG: KASAN: slab-out-of-bounds in technisat_usb2_rc_query+0x5fa/0x660
> drivers/media/usb/dvb-usb/technisat-usb2.c:679
> Read of size 1 at addr ffff8880a8791ea8 by task kworker/0:1/12
>
> Take a look into while loop in technisat_usb2_get_ir().
> I recognized that a problem. The loop will not break out with the condition
> doesn't reach. Then "b++" will go wrong and buffer will be overflow.
>
> while (1) {
> [...]
> b++;
> if (*b == 0xff) {
> ev.pulse = 0;
> ev.duration = 888888*2;
> ir_raw_event_store(d->rc_dev, &ev);
> break;
> }
> }
>
> I would propose changing the loop condition by checking the address of the
> buffer. If acceptable, I will send this patch to the mailing-list.
> eg:
>
> - while (1) {
> + while (b != (buf + 63)) {
> [...]
> }
>
> Tested with syzbot, result is good [2].
>
> [1] https://syzkaller.appspot.com/bug?extid=eaaaf38a95427be88f4b
> [2] https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ
Great, can you submit a patch for this?
thanks,
greg k-h
