[PATCH] media: dvb-usb: dib0700: reject zero-length I2C reads
1 view
Skip to first unread message
Henri A
2:57 AM (6 hours ago) 2:57 AM
to Mauro Carvalho Chehab, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+0cd0fb...@syzkaller.appspotmail.com, Henri A
Reject zero-length I2C read requests in the legacy dib0700 I2C
transfer path.
A zero-length read is passed to usb_control_msg() with a receive
control pipe and USB_DIR_IN. usb_submit_urb() treats a zero wLength
control transfer as OUT, so the pipe direction and setup packet
direction disagree and trigger the "BOGUS control dir" warning.
Return -EINVAL before submitting the USB control message.
Reported-by: syzbot+0cd0fb...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0cd0fb4cf3f4722d6663
Assisted-by: Codex:GPT-5.5
Signed-off-by: Henri A <con...@henrialfonso.com>
---
Notes:
- syzbot accepted #syz test requests for this patch, but the test runner
exited with "FATAL: kernel too old" before reaching the target warning, so
no Tested-by: syzbot tag is claimed.
- Local validation: git diff --check passed, checkpatch.pl --strict reported
only the missing-Fixes warning, and dib0700_core.o builds successfully.
- I used -EINVAL because the zero-length read is rejected before any I/O is
submitted. I also considered I2C_AQ_NO_ZERO_LEN_READ, but kept the guard
local to the legacy DIB0700 transfer path that triggers the warning.
drivers/media/usb/dvb-usb/dib0700_core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/media/usb/dvb-usb/dib0700_core.c b/drivers/media/usb/dvb-usb/dib0700_core.c
index 1caabb51e..daa541b1b 100644
--- a/drivers/media/usb/dvb-usb/dib0700_core.c
+++ b/drivers/media/usb/dvb-usb/dib0700_core.c
@@ -311,6 +311,11 @@ static int dib0700_i2c_xfer_legacy(struct i2c_adapter *adap,
st->buf[0] = REQUEST_I2C_READ;
st->buf[1] |= 1;
+ if (msg[i + 1].len == 0) {
+ result = -EINVAL;
+ goto unlock;
+ }
+
/* special thing in the current firmware: when length is zero the read-failed */
len = dib0700_ctrl_rd(d, st->buf, msg[i].len + 2,
st->buf, msg[i + 1].len);
--
2.43.0
transfer path.
A zero-length read is passed to usb_control_msg() with a receive
control pipe and USB_DIR_IN. usb_submit_urb() treats a zero wLength
control transfer as OUT, so the pipe direction and setup packet
direction disagree and trigger the "BOGUS control dir" warning.
Return -EINVAL before submitting the USB control message.
Reported-by: syzbot+0cd0fb...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0cd0fb4cf3f4722d6663
Assisted-by: Codex:GPT-5.5
Signed-off-by: Henri A <con...@henrialfonso.com>
---
Notes:
- syzbot accepted #syz test requests for this patch, but the test runner
exited with "FATAL: kernel too old" before reaching the target warning, so
no Tested-by: syzbot tag is claimed.
- Local validation: git diff --check passed, checkpatch.pl --strict reported
only the missing-Fixes warning, and dib0700_core.o builds successfully.
- I used -EINVAL because the zero-length read is rejected before any I/O is
submitted. I also considered I2C_AQ_NO_ZERO_LEN_READ, but kept the guard
local to the legacy DIB0700 transfer path that triggers the warning.
drivers/media/usb/dvb-usb/dib0700_core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/media/usb/dvb-usb/dib0700_core.c b/drivers/media/usb/dvb-usb/dib0700_core.c
index 1caabb51e..daa541b1b 100644
--- a/drivers/media/usb/dvb-usb/dib0700_core.c
+++ b/drivers/media/usb/dvb-usb/dib0700_core.c
@@ -311,6 +311,11 @@ static int dib0700_i2c_xfer_legacy(struct i2c_adapter *adap,
st->buf[0] = REQUEST_I2C_READ;
st->buf[1] |= 1;
+ if (msg[i + 1].len == 0) {
+ result = -EINVAL;
+ goto unlock;
+ }
+
/* special thing in the current firmware: when length is zero the read-failed */
len = dib0700_ctrl_rd(d, st->buf, msg[i].len + 2,
st->buf, msg[i + 1].len);
--
2.43.0
Reply all
Reply to author
Forward
0 new messages