dib9000: possible stack overflow from device mailbox length
From: Maoyi Xie
Date: Wed Jun 17 2026 - 05:24:20 EST
Hi all,
I think dib9000_mbx_get_message_attr() in
drivers/media/dvb-frontends/dib9000.c can overflow a small stack buffer
with a length the device controls. I would appreciate it if you could
take a look.
The copy looks like this.
*size = (*block & 0xff) - 1;
memcpy(msg, block + 1, (*size) * 2);
*size is the low byte of the mailbox header word, which the demod fills
in. Nothing checks it against the destination. The callers pass small
fixed stack arrays. dib9000_risc_check_version() passes a u8 r[4], and
the APB read and write helpers pass a u16 mb[10].
*size is a u8, so a header byte of 0x00 wraps to 255 words. That is a
510 byte memcpy into a 4 or 20 byte stack buffer. check_version() runs
on the normal firmware boot path, so a plain probe reaches it.
The mailbox read path does have a size check, but it only limits how
many payload words get cached. The header word itself is stored before
that check, so its low byte stays unbounded here. fw_init() also checks
the size, but only after the memcpy.
The attacker is a malicious or spoofed DiB9000 based USB DVB stick. The
demod controls the I2C mailbox bytes, so the length byte is fully under
its control.
I reproduced it under KASAN on 7.1-rc7. A small length byte fits and
nothing happens. A larger one on the same path runs past the stack
array, and the stack protector fires with "Kernel stack is corrupted".
I am aware of the two "avoid out of bound access" patches from 2014.
Those only touched the send side in dib9000_risc_apb_access_write() and
were never merged. This is the receive side, which is still unbounded.
The fix I tried passes the destination size in words down to
dib9000_mbx_get_message_attr() and rejects anything larger before the
memcpy. Each caller passes ARRAY_SIZE of its buffer. It is about ten
lines and applies cleanly to 7.1-rc7.
Does this look like a real bug, and is the bound the right way to handle
it? If it looks right I am happy to send a proper patch with the Fixes
tag dd316c6bacc2 ("[media] DIB9000: initial support added").
Thanks,
Maoyi
https://maoyixie.com/