--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package openrazer/3.5.1+dfsg-2+deb12u1
- From: Adrian Bunk <bunk@debian.org>
- Date: Thu, 24 Apr 2025 13:35:16 +0300
- Message-id: <174549091617.3603899.12028079183854748683.reportbug@localhost>
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Dylan Aïssi <daissi@debian.org>
* CVE-2025-32776: out-of-bounds read
Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
diffstat for openrazer-3.5.1+dfsg openrazer-3.5.1+dfsg
changelog | 7 +
patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch | 50 ++++++++
patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch | 61 ++++++++++
patches/series | 2
4 files changed, 120 insertions(+)
diff -Nru openrazer-3.5.1+dfsg/debian/changelog openrazer-3.5.1+dfsg/debian/changelog
--- openrazer-3.5.1+dfsg/debian/changelog 2023-02-03 18:07:01.000000000 +0200
+++ openrazer-3.5.1+dfsg/debian/changelog 2025-04-23 22:45:05.000000000 +0300
@@ -1,3 +1,10 @@
+openrazer (3.5.1+dfsg-2+deb12u1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-32776: out-of-bounds read
+
+ -- Adrian Bunk <bunk@debian.org> Wed, 23 Apr 2025 22:45:05 +0300
+
openrazer (3.5.1+dfsg-2) unstable; urgency=medium
[ Andreas Beckmann ]
diff -Nru openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch
--- openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch 1970-01-01 02:00:00.000000000 +0200
+++ openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch 2025-04-23 22:43:56.000000000 +0300
@@ -0,0 +1,50 @@
+From c56f45e37b75cdfbaee88df40168cee1834db191 Mon Sep 17 00:00:00 2001
+From: Luca Weiss <luca@lucaweiss.eu>
+Date: Thu, 10 Apr 2025 20:58:30 +0200
+Subject: driver: Stop copying any custom frame data when parameters are
+ invalid
+
+While the initial idea of this check was to sanitize any a row_length
+value which is too high. But in reality we should just essentially error
+out (which due to the function signature we can't do properly), and stop
+trying to memcpy any data.
+
+Issue: https://github.com/openrazer/openrazer/issues/2433
+---
+ driver/razerchromacommon.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/driver/razerchromacommon.c b/driver/razerchromacommon.c
+index ef9891f9..1e7cdc11 100644
+--- a/driver/razerchromacommon.c
++++ b/driver/razerchromacommon.c
+@@ -480,7 +480,7 @@ struct razer_report razer_chroma_standard_matrix_set_custom_frame(unsigned char
+
+ if (row_length > sizeof(report.arguments) - start_arg_offset) {
+ printk(KERN_ALERT "razerchroma: RGB data too long\n");
+- row_length = sizeof(report.arguments) - start_arg_offset;
++ row_length = 0;
+ }
+
+ report = get_razer_report(0x03, 0x0B, 0x46); // In theory should be able to leave data size at max as we have start/stop
+@@ -766,7 +766,7 @@ struct razer_report razer_chroma_extended_matrix_set_custom_frame2(unsigned char
+
+ if (row_length > sizeof(report.arguments) - start_arg_offset) {
+ printk(KERN_ALERT "razerchroma: RGB data too long\n");
+- row_length = sizeof(report.arguments) - start_arg_offset;
++ row_length = 0;
+ }
+
+ // Some devices need a specific packet length, most devices are happy with 0x47
+@@ -1039,7 +1039,7 @@ struct razer_report razer_chroma_misc_one_row_set_custom_frame(unsigned char sta
+
+ if (row_length > sizeof(report.arguments) - start_arg_offset) {
+ printk(KERN_ALERT "razerchroma: RGB data too long\n");
+- row_length = sizeof(report.arguments) - start_arg_offset;
++ row_length = 0;
+ }
+
+ report.arguments[0] = start_col;
+--
+2.30.2
+
diff -Nru openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch
--- openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch 1970-01-01 02:00:00.000000000 +0200
+++ openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch 2025-04-23 22:43:56.000000000 +0300
@@ -0,0 +1,61 @@
+From 42f4b7c4eab618031b2c9bb19188c69f40900c52 Mon Sep 17 00:00:00 2001
+From: Luca Weiss <luca@lucaweiss.eu>
+Date: Thu, 10 Apr 2025 20:34:39 +0200
+Subject: driver: Fix possible integer overflow in write_matrix_custom_frame
+
+When a user passes start_col=0x00 and stop_col=0x55 with the data,
+row_length can easily wrap around leading to undesired behavior
+including out of bounds read while copying data into report.arguments.
+
+Avoid the overflow by making sure the underlying type has enough space
+for the value ((255 + 1) - 0) * 3 = 768.
+
+Issue: https://github.com/openrazer/openrazer/issues/2433
+---
+ driver/razeraccessory_driver.c | 2 +-
+ driver/razerkbd_driver.c | 2 +-
+ driver/razermouse_driver.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/driver/razeraccessory_driver.c b/driver/razeraccessory_driver.c
+index 2bfb00e0..0928b0bb 100644
+--- a/driver/razeraccessory_driver.c
++++ b/driver/razeraccessory_driver.c
+@@ -830,7 +830,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d
+ unsigned char row_id;
+ unsigned char start_col;
+ unsigned char stop_col;
+- unsigned char row_length;
++ size_t row_length;
+
+ //printk(KERN_ALERT "razermyg: Total count: %d\n", (unsigned char)count);
+
+diff --git a/driver/razerkbd_driver.c b/driver/razerkbd_driver.c
+index 672f88a0..c647202c 100644
+--- a/driver/razerkbd_driver.c
++++ b/driver/razerkbd_driver.c
+@@ -2484,7 +2484,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d
+ unsigned char row_id;
+ unsigned char start_col;
+ unsigned char stop_col;
+- unsigned char row_length;
++ size_t row_length;
+
+ //printk(KERN_ALERT "razerkbd: Total count: %d\n", (unsigned char)count);
+
+diff --git a/driver/razermouse_driver.c b/driver/razermouse_driver.c
+index 01c95f3f..e325920d 100644
+--- a/driver/razermouse_driver.c
++++ b/driver/razermouse_driver.c
+@@ -2230,7 +2230,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d
+ unsigned char row_id;
+ unsigned char start_col;
+ unsigned char stop_col;
+- unsigned char row_length;
++ size_t row_length;
+
+ //printk(KERN_ALERT "razermouse: Total count: %d\n", (unsigned char)count);
+
+--
+2.30.2
+
diff -Nru openrazer-3.5.1+dfsg/debian/patches/series openrazer-3.5.1+dfsg/debian/patches/series
--- openrazer-3.5.1+dfsg/debian/patches/series 2023-02-03 18:07:01.000000000 +0200
+++ openrazer-3.5.1+dfsg/debian/patches/series 2025-04-23 22:45:04.000000000 +0300
@@ -1,2 +1,4 @@
6322c4ab9d12b5711eead41821fe19149e515afc.patch
skip-without-CONFIG_USB.patch
+0001-driver-Stop-copying-any-custom-frame-data-when-param.patch
+0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch
--- End Message ---