Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach az6007_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash.
Similar commit: commit 0ed554fd769a (“media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()”)
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 6 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , Oracle Linux 6 ELS , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS
- Affected packages:
- kernel @ 2.6.32 (+7 more)
In the Linux kernel, the following vulnerability has been resolved:
media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach az6007_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash.
Similar commit: commit 0ed554fd769a (“media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()”)