Re: [syzbot] UBSAN: array-index-out-of-bounds in pvr2_i2c_core_init

[Pavel Skripkin]

Hi Syzbot,

On 4/14/22 21:47, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    4ea3c6425269 Merge tag 'powerpc-5.18-2' of git://git.kerne..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=148cb824f00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=307baecfd5e87ced
> dashboard link: https://syzkaller.appspot.com/bug?extid=1a247e36149ffd709a9b
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17279a70f00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=121dc124f00000
>
> Bisection is inconclusive: the issue happens on the oldest tested release.
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=142753df700000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=162753df700000
> console output: https://syzkaller.appspot.com/x/log.txt?x=122753df700000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:


just guessing


#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master




With regards,
Pavel Skripkin
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
index cd7b118d5929..2a1a0a0ca225 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -2569,6 +2569,9 @@ struct pvr2_hdw *pvr2_hdw_create(struct usb_interface *intf,
 	} while (0);
 	mutex_unlock(&pvr2_unit_mtx);
 
+	if (hdw->unit_number == -1)
+	  	goto fail;
+
 	cnt1 = 0;
 	cnt2 = scnprintf(hdw->name+cnt1,sizeof(hdw->name)-cnt1,"pvrusb2");
 	cnt1 += cnt2;

Attachment: OpenPGP_signature
Description: OpenPGP digital signature