From patchwork Fri Sep 22 12:38:07 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
X-Patchwork-Id: 143707
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:172:b0:3f2:4152:657d with SMTP id h50csp5909663vqi;
        Fri, 22 Sep 2023 15:50:20 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFjuXqsKLfAZOC96f/pMNPDItIR+ccAK6vllWE64NuwVQUjwXeeacHVHUKctKbzXvV9ff+u
X-Received: by 2002:a17:903:41c2:b0:1c5:cd1c:4705 with SMTP id
 u2-20020a17090341c200b001c5cd1c4705mr1033362ple.10.1695423020590;
        Fri, 22 Sep 2023 15:50:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695423020; cv=none;
        d=google.com; s=arc-20160816;
        b=Ic8VhFNkJnf/W0JW19bW18eqC7foUw79zld98oYpjhQu6JfdQyhhiyiy7g7q8Bto3/
         n3VHop4KYnLMzbRYYSwZBdKjD4ZMeWF20ce/7HOeq6n8CKSc1wJcO+pqIy+QH1OwtT/O
         k4cU5FqZwYTEAIS+ea1eieCcVigltyMS8xyhjuY7lRoRIZjddLXOxNv9soS4zR/9ntsF
         oVU3AEkPsTVmUUyrBzZhT8iMiZxo8QEQoV0a78bnWyVlh6frPtjQKQDxyMxOuhegn4r/
         7ZOVbaUmrgjcaTTHGO15wl3G0p9N1MebwIDp50KK0Zh4725DHbr9EyzEBJ+KsaLmCJi/
         nd9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature;
        bh=HmnTB2uEgKxCayfWbdMyfcqdfLvJ0elT6dc12gIbdRg=;
        fh=DZ/FkqWph30cNJHGubFdyyEuXD3gcNVfR9uEYI+3SSA=;
        b=MHfm2kv54nBURJ7UZGsGLNz18G6+2VUDbIISrBL0v2CNTFlvxnoTNt7P2Bi5kotesP
         gZgh00a2ALODvtyqSqEEclLWDI25pTjLDKGSBRLNRwdPh5ZN9JuGQHNZojFJyeUNu52z
         2IhKqN0VmCDLODdUW8DjyPQ0RHbBf8bsEgpfXAGt2lgI0fy1Lv8x9xPNEDuUkke7xdS5
         Kt/93B8f4RhaWLkXLmIS2DL2j38kMaLxkVMAWL5hVK5frXghz2YEB+gZn6cJC44TCzmd
         jCmgiyL2qfYHpEOowQyaKA2EsOCozaRRRxruIBbVCuAJygp6OETxo6sJ7Vi3sTUCBo46
         pIOg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=cpFzbIAL;
       dkim=neutral (no key) header.i=@suse.de header.b=9yJkWQCY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:4 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4])
        by mx.google.com with ESMTPS id
 i10-20020a17090332ca00b001c5bcc9d918si4895766plr.352.2023.09.22.15.50.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 22 Sep 2023 15:50:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:4 as permitted sender)
 client-ip=2620:137:e000::3:4;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=cpFzbIAL;
       dkim=neutral (no key) header.i=@suse.de header.b=9yJkWQCY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:4 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by howler.vger.email (Postfix) with ESMTP id AE0A185FEDBA;
	Fri, 22 Sep 2023 05:38:20 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232511AbjIVMiV (ORCPT <rfc822;chrisfriedt@gmail.com>
        + 29 others); Fri, 22 Sep 2023 08:38:21 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43722 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229541AbjIVMiT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 22 Sep 2023 08:38:19 -0400
Received: from smtp-out1.suse.de (smtp-out1.suse.de
 [IPv6:2001:67c:2178:6::1c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E4FBC8F;
        Fri, 22 Sep 2023 05:38:13 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
 [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest
 SHA512)
        (No client certificate requested)
        by smtp-out1.suse.de (Postfix) with ESMTPS id A367321AD9;
        Fri, 22 Sep 2023 12:38:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
        t=1695386292;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:
  content-transfer-encoding:content-transfer-encoding;
        bh=HmnTB2uEgKxCayfWbdMyfcqdfLvJ0elT6dc12gIbdRg=;
        b=cpFzbIALsj1ODGnFfsTW5wm8fHcgMsrVufEwwQckS4ZVO8cQEvXmLoSwCdrtgejvy7SFNY
        tp6pWwoMsR0pqcHopeC3HIkg46s7qlF7kBstvUIrQ78cUuI9fpDC0nPu5GprIdyb2NIb1W
        1u9abk6CMMq7GKlIBv9xXZ21BgVpUg0=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1695386292;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:
  content-transfer-encoding:content-transfer-encoding;
        bh=HmnTB2uEgKxCayfWbdMyfcqdfLvJ0elT6dc12gIbdRg=;
        b=9yJkWQCYG2FlbfLg/TaQK++ZCzgF+KIUO7D0BrWT2e3OCPJr4m55+sPG7SkvYMQvQvpKxb
        P63uS8vuQOwpI0Cw==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
 [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest
 SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 739DB13597;
        Fri, 22 Sep 2023 12:38:12 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id egktG7SKDWU2QwAAMHmgww
        (envelope-from <tiwai@suse.de>); Fri, 22 Sep 2023 12:38:12 +0000
From: Takashi Iwai <tiwai@suse.de>
To: Sean Young <sean@mess.org>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
        linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Ricardo B . Marliere" <ricardo@marliere.net>
Subject: [PATCH] media: imon: fix access to invalid resource for the second
 interface
Date: Fri, 22 Sep 2023 14:38:07 +0200
Message-Id: <20230922123807.15236-1-tiwai@suse.de>
X-Mailer: git-send-email 2.35.3
MIME-Version: 1.0
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]);
 Fri, 22 Sep 2023 05:38:20 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1777779889270757204
X-GMAIL-MSGID: 1777779889270757204

imon driver probes two USB interfaces, and at the probe of the second
interface, the driver assumes blindly that the first interface got
bound with the same imon driver.  It's usually true, but it's still
possible that the first interface is bound with another driver via a
malformed descriptor.  Then it may lead to a memory corruption, as
spotted by syzkaller; imon driver accesses the data from drvdata as
struct imon_context object although it's a completely different one
that was assigned by another driver.

This patch adds a sanity check -- whether the first interface is
really bound with the imon driver or not -- for avoiding the problem
above at the probe time.

Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.com/
Tested-by: Ricardo B. Marliere <ricardo@marliere.net>
Link: https://lore.kernel.org/r/20230922005152.163640-1-ricardo@marliere.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 drivers/media/rc/imon.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index 74546f7e3469..5719dda6e0f0 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -2427,6 +2427,12 @@ static int imon_probe(struct usb_interface *interface,
 		goto fail;
 	}
 
+	if (first_if->dev.driver != interface->dev.driver) {
+		dev_err(&interface->dev, "inconsistent driver matching\n");
+		ret = -EINVAL;
+		goto fail;
+	}
+
 	if (ifnum == 0) {
 		ictx = imon_init_intf0(interface, id);
 		if (!ictx) {