[Linux-kernel-mentees] [SYZBOT REPORT] global-out-of-bounds Read in hdpvr_probe
lnowakow at eng.ucsd.edu
Sun Jul 21 11:56:49 UTC 2019
This is an analysis of the following report
The error was reproduced with 5.1-rc4 with gcc 9.1.0.
The offending line is:
retval = hdpvr_register_videodev(dev, &interface->dev,
Immediately we see that the video_nr array is being accessed without
a checking increment. Meaning that if we were to go up to the size of
the array and it were to access it, we would get this kind of global out
of bounds error as reported by syzbot.
The fix would be to "checkout" a place in the register array before we
actually register the device and see if we havent already reached the
max amount of devices we want to register. If we did this and found that
we have reached max, we can report our findings and return safely probe
function, thus avoiding this global out of bounds access error and
reporting useful information to the user.
I have already prepared a patch that is awaiting review that fixes this
More information about the Linux-kernel-mentees