Version in base suite: 3.5.1+dfsg-2 Base version: openrazer_3.5.1+dfsg-2 Target version: openrazer_3.5.1+dfsg-2+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openrazer/openrazer_3.5.1+dfsg-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openrazer/openrazer_3.5.1+dfsg-2+deb12u1.dsc changelog | 7 + patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch | 50 ++++++++ patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch | 61 ++++++++++ patches/series | 2 4 files changed, 120 insertions(+) diff -Nru openrazer-3.5.1+dfsg/debian/changelog openrazer-3.5.1+dfsg/debian/changelog --- openrazer-3.5.1+dfsg/debian/changelog 2023-02-03 16:07:01.000000000 +0000 +++ openrazer-3.5.1+dfsg/debian/changelog 2025-04-23 19:45:05.000000000 +0000 @@ -1,3 +1,10 @@ +openrazer (3.5.1+dfsg-2+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2025-32776: out-of-bounds read + + -- Adrian Bunk Wed, 23 Apr 2025 22:45:05 +0300 + openrazer (3.5.1+dfsg-2) unstable; urgency=medium [ Andreas Beckmann ] diff -Nru openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch --- openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch 1970-01-01 00:00:00.000000000 +0000 +++ openrazer-3.5.1+dfsg/debian/patches/0001-driver-Stop-copying-any-custom-frame-data-when-param.patch 2025-04-23 19:43:56.000000000 +0000 @@ -0,0 +1,50 @@ +From c56f45e37b75cdfbaee88df40168cee1834db191 Mon Sep 17 00:00:00 2001 +From: Luca Weiss +Date: Thu, 10 Apr 2025 20:58:30 +0200 +Subject: driver: Stop copying any custom frame data when parameters are + invalid + +While the initial idea of this check was to sanitize any a row_length +value which is too high. But in reality we should just essentially error +out (which due to the function signature we can't do properly), and stop +trying to memcpy any data. + +Issue: https://github.com/openrazer/openrazer/issues/2433 +--- + driver/razerchromacommon.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/driver/razerchromacommon.c b/driver/razerchromacommon.c +index ef9891f9..1e7cdc11 100644 +--- a/driver/razerchromacommon.c ++++ b/driver/razerchromacommon.c +@@ -480,7 +480,7 @@ struct razer_report razer_chroma_standard_matrix_set_custom_frame(unsigned char + + if (row_length > sizeof(report.arguments) - start_arg_offset) { + printk(KERN_ALERT "razerchroma: RGB data too long\n"); +- row_length = sizeof(report.arguments) - start_arg_offset; ++ row_length = 0; + } + + report = get_razer_report(0x03, 0x0B, 0x46); // In theory should be able to leave data size at max as we have start/stop +@@ -766,7 +766,7 @@ struct razer_report razer_chroma_extended_matrix_set_custom_frame2(unsigned char + + if (row_length > sizeof(report.arguments) - start_arg_offset) { + printk(KERN_ALERT "razerchroma: RGB data too long\n"); +- row_length = sizeof(report.arguments) - start_arg_offset; ++ row_length = 0; + } + + // Some devices need a specific packet length, most devices are happy with 0x47 +@@ -1039,7 +1039,7 @@ struct razer_report razer_chroma_misc_one_row_set_custom_frame(unsigned char sta + + if (row_length > sizeof(report.arguments) - start_arg_offset) { + printk(KERN_ALERT "razerchroma: RGB data too long\n"); +- row_length = sizeof(report.arguments) - start_arg_offset; ++ row_length = 0; + } + + report.arguments[0] = start_col; +-- +2.30.2 + diff -Nru openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch --- openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch 1970-01-01 00:00:00.000000000 +0000 +++ openrazer-3.5.1+dfsg/debian/patches/0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch 2025-04-23 19:43:56.000000000 +0000 @@ -0,0 +1,61 @@ +From 42f4b7c4eab618031b2c9bb19188c69f40900c52 Mon Sep 17 00:00:00 2001 +From: Luca Weiss +Date: Thu, 10 Apr 2025 20:34:39 +0200 +Subject: driver: Fix possible integer overflow in write_matrix_custom_frame + +When a user passes start_col=0x00 and stop_col=0x55 with the data, +row_length can easily wrap around leading to undesired behavior +including out of bounds read while copying data into report.arguments. + +Avoid the overflow by making sure the underlying type has enough space +for the value ((255 + 1) - 0) * 3 = 768. + +Issue: https://github.com/openrazer/openrazer/issues/2433 +--- + driver/razeraccessory_driver.c | 2 +- + driver/razerkbd_driver.c | 2 +- + driver/razermouse_driver.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/driver/razeraccessory_driver.c b/driver/razeraccessory_driver.c +index 2bfb00e0..0928b0bb 100644 +--- a/driver/razeraccessory_driver.c ++++ b/driver/razeraccessory_driver.c +@@ -830,7 +830,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d + unsigned char row_id; + unsigned char start_col; + unsigned char stop_col; +- unsigned char row_length; ++ size_t row_length; + + //printk(KERN_ALERT "razermyg: Total count: %d\n", (unsigned char)count); + +diff --git a/driver/razerkbd_driver.c b/driver/razerkbd_driver.c +index 672f88a0..c647202c 100644 +--- a/driver/razerkbd_driver.c ++++ b/driver/razerkbd_driver.c +@@ -2484,7 +2484,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d + unsigned char row_id; + unsigned char start_col; + unsigned char stop_col; +- unsigned char row_length; ++ size_t row_length; + + //printk(KERN_ALERT "razerkbd: Total count: %d\n", (unsigned char)count); + +diff --git a/driver/razermouse_driver.c b/driver/razermouse_driver.c +index 01c95f3f..e325920d 100644 +--- a/driver/razermouse_driver.c ++++ b/driver/razermouse_driver.c +@@ -2230,7 +2230,7 @@ static ssize_t razer_attr_write_matrix_custom_frame(struct device *dev, struct d + unsigned char row_id; + unsigned char start_col; + unsigned char stop_col; +- unsigned char row_length; ++ size_t row_length; + + //printk(KERN_ALERT "razermouse: Total count: %d\n", (unsigned char)count); + +-- +2.30.2 + diff -Nru openrazer-3.5.1+dfsg/debian/patches/series openrazer-3.5.1+dfsg/debian/patches/series --- openrazer-3.5.1+dfsg/debian/patches/series 2023-02-03 16:07:01.000000000 +0000 +++ openrazer-3.5.1+dfsg/debian/patches/series 2025-04-23 19:45:04.000000000 +0000 @@ -1,2 +1,4 @@ 6322c4ab9d12b5711eead41821fe19149e515afc.patch skip-without-CONFIG_USB.patch +0001-driver-Stop-copying-any-custom-frame-data-when-param.patch +0002-driver-Fix-possible-integer-overflow-in-write_matrix.patch