On Tue, Aug 20, 2019 at 02:19:16PM -0400, Hui Peng wrote:
> In the while loop of technisat_usb2_get_ir, it scans through
> a fix-sized buffer read from the device side, the termination
> condition of the loop is `*b == 0xff`. If no `0xff` byte is read
> from the device side, OOB access happens.
>
The following is the kasan report. This bug was found in v4.20-rc2, but
it is present in the latest version.
BUG: KASAN: slab-out-of-bounds in technisat_usb2_get_ir
drivers/media/usb/dvb-usb/technisat-usb2.c:664 [inline]
BUG: KASAN: slab-out-of-bounds in technisat_usb2_rc_query+0x598/0x5f0
In the while loop of technisat_usb2_get_ir, it scans through
a fix-sized buffer read from the device side, the termination
condition of the loop is `*b == 0xff`. If no `0xff` byte is read
from the device side, OOB access happens.
This patch fixes the bug by adding an upper bound in the while
3 matches
Mail list logo