[PATCH V3] media: dvb-usb: pctv452e: move snd/rcv len check before kmalloc
0 views
Skip to first unread message
Edward Adam Davis
Nov 3, 2025, 6:58:03 AM (2 days ago) Nov 3
to hverkui...@kernel.org, ead...@qq.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, mch...@kernel.org, syzbot+480edd...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
syzbot reported a uninit-value in pctv452e_i2c_msg. [1]
When the snd_len or rcv_len check fails and jumps to failed, buf is
uninitialized, triggering the uninit-value issue.
Move the snd/rcv length check before kmalloc, and return -EINVAL directly
if the condition is met.
[1]
BUG: KMSAN: uninit-value in hex_string+0x681/0x740 lib/vsprintf.c:1220
pctv452e_i2c_msg+0x82a/0x8f0 drivers/media/usb/dvb-usb/pctv452e.c:467
pctv452e_i2c_xfer+0x2e6/0x4c0 drivers/media/usb/dvb-usb/pctv452e.c:502
Reported-by: syzbot+480edd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=480edd2cadb85ddb4bbe
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
V1 -> V2: subject typos
V2 -> V3: move the check before kmalloc
drivers/media/usb/dvb-usb/pctv452e.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/dvb-usb/pctv452e.c b/drivers/media/usb/dvb-usb/pctv452e.c
index 5094de9a312e..bc7a224d829e 100644
--- a/drivers/media/usb/dvb-usb/pctv452e.c
+++ b/drivers/media/usb/dvb-usb/pctv452e.c
@@ -422,16 +422,15 @@ static int pctv452e_i2c_msg(struct dvb_usb_device *d, u8 addr,
u8 id;
int ret;
+ if (snd_len > 64 - 7 || rcv_len > 64 - 7)
+ return -EINVAL;
+
buf = kmalloc(64, GFP_KERNEL);
if (!buf)
return -ENOMEM;
id = state->c++;
- ret = -EINVAL;
- if (snd_len > 64 - 7 || rcv_len > 64 - 7)
- goto failed;
-
buf[0] = SYNC_BYTE_OUT;
buf[1] = id;
buf[2] = PCTV_CMD_I2C;
--
2.43.0
When the snd_len or rcv_len check fails and jumps to failed, buf is
uninitialized, triggering the uninit-value issue.
Move the snd/rcv length check before kmalloc, and return -EINVAL directly
if the condition is met.
[1]
BUG: KMSAN: uninit-value in hex_string+0x681/0x740 lib/vsprintf.c:1220
pctv452e_i2c_msg+0x82a/0x8f0 drivers/media/usb/dvb-usb/pctv452e.c:467
pctv452e_i2c_xfer+0x2e6/0x4c0 drivers/media/usb/dvb-usb/pctv452e.c:502
Reported-by: syzbot+480edd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=480edd2cadb85ddb4bbe
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
V1 -> V2: subject typos
V2 -> V3: move the check before kmalloc
drivers/media/usb/dvb-usb/pctv452e.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/dvb-usb/pctv452e.c b/drivers/media/usb/dvb-usb/pctv452e.c
index 5094de9a312e..bc7a224d829e 100644
--- a/drivers/media/usb/dvb-usb/pctv452e.c
+++ b/drivers/media/usb/dvb-usb/pctv452e.c
@@ -422,16 +422,15 @@ static int pctv452e_i2c_msg(struct dvb_usb_device *d, u8 addr,
u8 id;
int ret;
+ if (snd_len > 64 - 7 || rcv_len > 64 - 7)
+ return -EINVAL;
+
buf = kmalloc(64, GFP_KERNEL);
if (!buf)
return -ENOMEM;
id = state->c++;
- ret = -EINVAL;
- if (snd_len > 64 - 7 || rcv_len > 64 - 7)
- goto failed;
-
buf[0] = SYNC_BYTE_OUT;
buf[1] = id;
buf[2] = PCTV_CMD_I2C;
--
2.43.0
Reply all
Reply to author
Forward
0 new messages