Description
In the Linux kernel, the following vulnerability has been resolved: media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() In dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach dw2102_i2c_transfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 950e252cb469 ("[media] dw2102: limit messages to buffer size")
Product status
7fd4828f6cc5bd4339ff58e372ccb5f528548b30 (git) before 77cbd42d29de9ffc93d5529bab8813cde53af14c
7fd4828f6cc5bd4339ff58e372ccb5f528548b30 (git) before ecbe6d011b95c7da59f014f8d26cb7245ed1e11e
7fd4828f6cc5bd4339ff58e372ccb5f528548b30 (git) before beb9550494e7349f92b9eaa283256a5ad9b1c9be
7fd4828f6cc5bd4339ff58e372ccb5f528548b30 (git) before 97fdbdb750342cbc204befde976872fedb406ee6
7fd4828f6cc5bd4339ff58e372ccb5f528548b30 (git) before 903566208ae6bb9c0e7e54355ce75bf6cf72485d
7fd4828f6cc5bd4339ff58e372ccb5f528548b30 (git) before 08dfcbd03b2b7f918c4f87c6ff637054e510df74
7fd4828f6cc5bd4339ff58e372ccb5f528548b30 (git) before fb28afab113a82b89ffec48c8155ec05b4f8cb5e
7fd4828f6cc5bd4339ff58e372ccb5f528548b30 (git) before 5ae544d94abc8ff77b1b9bf8774def3fa5689b5b
2.6.27
Any version before 2.6.27
4.14.326 (semver)
4.19.295 (semver)
5.4.257 (semver)
5.10.197 (semver)
5.15.133 (semver)
6.1.55 (semver)
6.5.5 (semver)
6.6 (original_commit_for_fix)
References
git.kernel.org/...c/77cbd42d29de9ffc93d5529bab8813cde53af14c
git.kernel.org/...c/ecbe6d011b95c7da59f014f8d26cb7245ed1e11e
git.kernel.org/...c/beb9550494e7349f92b9eaa283256a5ad9b1c9be
git.kernel.org/...c/97fdbdb750342cbc204befde976872fedb406ee6
git.kernel.org/...c/903566208ae6bb9c0e7e54355ce75bf6cf72485d
git.kernel.org/...c/08dfcbd03b2b7f918c4f87c6ff637054e510df74
git.kernel.org/...c/fb28afab113a82b89ffec48c8155ec05b4f8cb5e
git.kernel.org/...c/5ae544d94abc8ff77b1b9bf8774def3fa5689b5b