All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/5] Fix various syzbot errors
@ 2019-11-12  9:22 Hans Verkuil
  2019-11-12  9:22 ` [PATCH 1/5] gspca: zero usb_buf Hans Verkuil
                   ` (4 more replies)
  0 siblings, 5 replies; 10+ messages in thread
From: Hans Verkuil @ 2019-11-12  9:22 UTC (permalink / raw)
  To: linux-media

These patches fix a bunch of syzbot errors due to uninitialized
memory.

Regards,

	Hans

Hans Verkuil (5):
  gspca: zero usb_buf
  dvb-usb/af9005: initialize act_len
  dvb-usb/vp7045: initialize br[]
  dvb-usb/digitv: initialize key[]
  dvb-usb/dvb-usb-urb.c: initialize actlen to 0

 drivers/media/usb/dvb-usb/af9005.c      | 2 +-
 drivers/media/usb/dvb-usb/digitv.c      | 2 +-
 drivers/media/usb/dvb-usb/dvb-usb-urb.c | 2 +-
 drivers/media/usb/dvb-usb/vp7045.c      | 2 +-
 drivers/media/usb/gspca/gspca.c         | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

-- 
2.24.0


^ permalink raw reply	[flat|nested] 10+ messages in thread
* [PATCH 1/5] gspca: zero usb_buf
  2019-11-12  9:22 [PATCH 0/5] Fix various syzbot errors Hans Verkuil
@ 2019-11-12  9:22 ` Hans Verkuil
  2019-11-12  9:22 ` [PATCH 2/5] dvb-usb/af9005: initialize act_len Hans Verkuil
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 10+ messages in thread
From: Hans Verkuil @ 2019-11-12  9:22 UTC (permalink / raw)
  To: linux-media
  Cc: Hans Verkuil, syzbot+32310fc2aea76898d074,
	syzbot+99706d6390be1ac542a2, syzbot+64437af5c781a7f0e08e

Allocate gspca_dev->usb_buf with kzalloc instead of kmalloc to
ensure it is property zeroed. This fixes various syzbot errors
about uninitialized data.

Syzbot links:

https://syzkaller.appspot.com/bug?extid=32310fc2aea76898d074
https://syzkaller.appspot.com/bug?extid=99706d6390be1ac542a2
https://syzkaller.appspot.com/bug?extid=64437af5c781a7f0e08e

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-and-tested-by: syzbot+32310fc2aea76898d074@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+99706d6390be1ac542a2@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+64437af5c781a7f0e08e@syzkaller.appspotmail.com
---
 drivers/media/usb/gspca/gspca.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
index 4add2b12d330..c1b307bbe540 100644
--- a/drivers/media/usb/gspca/gspca.c
+++ b/drivers/media/usb/gspca/gspca.c
@@ -1461,7 +1461,7 @@ int gspca_dev_probe2(struct usb_interface *intf,
 		pr_err("couldn't kzalloc gspca struct\n");
 		return -ENOMEM;
 	}
-	gspca_dev->usb_buf = kmalloc(USB_BUF_SZ, GFP_KERNEL);
+	gspca_dev->usb_buf = kzalloc(USB_BUF_SZ, GFP_KERNEL);
 	if (!gspca_dev->usb_buf) {
 		pr_err("out of memory\n");
 		ret = -ENOMEM;
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* [PATCH 2/5] dvb-usb/af9005: initialize act_len
  2019-11-12  9:22 [PATCH 0/5] Fix various syzbot errors Hans Verkuil
  2019-11-12  9:22 ` [PATCH 1/5] gspca: zero usb_buf Hans Verkuil
@ 2019-11-12  9:22 ` Hans Verkuil
  2019-11-12  9:49   ` Sean Young
  2019-11-12  9:22 ` [PATCH 3/5] dvb-usb/vp7045: initialize br[] Hans Verkuil
                   ` (2 subsequent siblings)
  4 siblings, 1 reply; 10+ messages in thread
From: Hans Verkuil @ 2019-11-12  9:22 UTC (permalink / raw)
  To: linux-media; +Cc: Hans Verkuil, syzbot+9d42b7773d2fecd983ab, Sean Young

The act_len variable was uninitialized, leading to a syzbot
error.

Syzbot link:

https://syzkaller.appspot.com/bug?extid=9d42b7773d2fecd983ab

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-and-tested-by: syzbot+9d42b7773d2fecd983ab@syzkaller.appspotmail.com
CC: Sean Young <sean@mess.org>
---
 drivers/media/usb/dvb-usb/af9005.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/dvb-usb/af9005.c b/drivers/media/usb/dvb-usb/af9005.c
index ac93e88d7038..89b4b5d84cdf 100644
--- a/drivers/media/usb/dvb-usb/af9005.c
+++ b/drivers/media/usb/dvb-usb/af9005.c
@@ -554,7 +554,7 @@ static int af9005_boot_packet(struct usb_device *udev, int type, u8 *reply,
 			      u8 *buf, int size)
 {
 	u16 checksum;
-	int act_len, i, ret;
+	int act_len = 0, i, ret;
 
 	memset(buf, 0, size);
 	buf[0] = (u8) (FW_BULKOUT_SIZE & 0xff);
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* [PATCH 3/5] dvb-usb/vp7045: initialize br[]
  2019-11-12  9:22 [PATCH 0/5] Fix various syzbot errors Hans Verkuil
  2019-11-12  9:22 ` [PATCH 1/5] gspca: zero usb_buf Hans Verkuil
  2019-11-12  9:22 ` [PATCH 2/5] dvb-usb/af9005: initialize act_len Hans Verkuil
@ 2019-11-12  9:22 ` Hans Verkuil
  2019-11-12  9:50   ` Sean Young
  2019-11-12  9:22 ` [PATCH 4/5] dvb-usb/digitv: initialize key[] Hans Verkuil
  2019-11-12  9:22 ` [PATCH 5/5] dvb-usb/dvb-usb-urb.c: initialize actlen to 0 Hans Verkuil
  4 siblings, 1 reply; 10+ messages in thread
From: Hans Verkuil @ 2019-11-12  9:22 UTC (permalink / raw)
  To: linux-media; +Cc: Hans Verkuil, syzbot+ec869945d3dde5f33b43, Sean Young

The br[] array was uninitialized, leading to a syzbot error.

Syzbot link:

https://syzkaller.appspot.com/bug?extid=ec869945d3dde5f33b43

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: syzbot+ec869945d3dde5f33b43@syzkaller.appspotmail.com
CC: Sean Young <sean@mess.org>
---
 drivers/media/usb/dvb-usb/vp7045.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/dvb-usb/vp7045.c b/drivers/media/usb/dvb-usb/vp7045.c
index 80c1cf05384b..3e87adca5be9 100644
--- a/drivers/media/usb/dvb-usb/vp7045.c
+++ b/drivers/media/usb/dvb-usb/vp7045.c
@@ -116,7 +116,7 @@ static int vp7045_rc_query(struct dvb_usb_device *d)
 static int vp7045_read_eeprom(struct dvb_usb_device *d,u8 *buf, int len, int offset)
 {
 	int i = 0;
-	u8 v,br[2];
+	u8 v, br[2] = { 0 };
 	for (i=0; i < len; i++) {
 		v = offset + i;
 		vp7045_usb_op(d,GET_EE_VALUE,&v,1,br,2,5);
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* [PATCH 4/5] dvb-usb/digitv: initialize key[]
  2019-11-12  9:22 [PATCH 0/5] Fix various syzbot errors Hans Verkuil
                   ` (2 preceding siblings ...)
  2019-11-12  9:22 ` [PATCH 3/5] dvb-usb/vp7045: initialize br[] Hans Verkuil
@ 2019-11-12  9:22 ` Hans Verkuil
  2019-11-12  9:51   ` Sean Young
  2019-11-12  9:22 ` [PATCH 5/5] dvb-usb/dvb-usb-urb.c: initialize actlen to 0 Hans Verkuil
  4 siblings, 1 reply; 10+ messages in thread
From: Hans Verkuil @ 2019-11-12  9:22 UTC (permalink / raw)
  To: linux-media; +Cc: Hans Verkuil, syzbot+6bf9606ee955b646c0e1, Sean Young

The key array was not initialized to 0, leading to a syzbot failure.

Syzbot link:

https://syzkaller.appspot.com/bug?extid=6bf9606ee955b646c0e1

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
CC: Sean Young <sean@mess.org>
---
 drivers/media/usb/dvb-usb/digitv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c
index dd5bb230cec1..72b22409880a 100644
--- a/drivers/media/usb/dvb-usb/digitv.c
+++ b/drivers/media/usb/dvb-usb/digitv.c
@@ -231,7 +231,7 @@ static struct rc_map_table rc_map_digitv_table[] = {
 static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
 {
 	int i;
-	u8 key[5];
+	u8 key[5] = { 0 };
 	u8 b[4] = { 0 };
 
 	*event = 0;
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* [PATCH 5/5] dvb-usb/dvb-usb-urb.c: initialize actlen to 0
  2019-11-12  9:22 [PATCH 0/5] Fix various syzbot errors Hans Verkuil
                   ` (3 preceding siblings ...)
  2019-11-12  9:22 ` [PATCH 4/5] dvb-usb/digitv: initialize key[] Hans Verkuil
@ 2019-11-12  9:22 ` Hans Verkuil
  2019-11-12  9:53   ` Sean Young
  4 siblings, 1 reply; 10+ messages in thread
From: Hans Verkuil @ 2019-11-12  9:22 UTC (permalink / raw)
  To: linux-media; +Cc: Hans Verkuil, syzbot+6bf9606ee955b646c0e1, Sean Young

This fixes a syzbot failure since actlen could be uninitialized,
but it was still used.

Syzbot link:

https://syzkaller.appspot.com/bug?extid=6bf9606ee955b646c0e1

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-and-tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
CC: Sean Young <sean@mess.org>
---
 drivers/media/usb/dvb-usb/dvb-usb-urb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/dvb-usb/dvb-usb-urb.c b/drivers/media/usb/dvb-usb/dvb-usb-urb.c
index c1b4e94a37f8..2aabf90d8697 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb-urb.c
+++ b/drivers/media/usb/dvb-usb/dvb-usb-urb.c
@@ -12,7 +12,7 @@
 int dvb_usb_generic_rw(struct dvb_usb_device *d, u8 *wbuf, u16 wlen, u8 *rbuf,
 	u16 rlen, int delay_ms)
 {
-	int actlen,ret = -ENOMEM;
+	int actlen = 0, ret = -ENOMEM;
 
 	if (!d || wbuf == NULL || wlen == 0)
 		return -EINVAL;
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread
* Re: [PATCH 2/5] dvb-usb/af9005: initialize act_len
  2019-11-12  9:22 ` [PATCH 2/5] dvb-usb/af9005: initialize act_len Hans Verkuil
@ 2019-11-12  9:49   ` Sean Young
  0 siblings, 0 replies; 10+ messages in thread
From: Sean Young @ 2019-11-12  9:49 UTC (permalink / raw)
  To: Hans Verkuil; +Cc: linux-media, syzbot+9d42b7773d2fecd983ab

On Tue, Nov 12, 2019 at 10:22:25AM +0100, Hans Verkuil wrote:
> The act_len variable was uninitialized, leading to a syzbot
> error.
> 
> Syzbot link:
> 
> https://syzkaller.appspot.com/bug?extid=9d42b7773d2fecd983ab
> 
> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
> Reported-and-tested-by: syzbot+9d42b7773d2fecd983ab@syzkaller.appspotmail.com
> CC: Sean Young <sean@mess.org>

This is the same as:

https://patchwork.linuxtv.org/patch/59986/

Sean

> ---
>  drivers/media/usb/dvb-usb/af9005.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/media/usb/dvb-usb/af9005.c b/drivers/media/usb/dvb-usb/af9005.c
> index ac93e88d7038..89b4b5d84cdf 100644
> --- a/drivers/media/usb/dvb-usb/af9005.c
> +++ b/drivers/media/usb/dvb-usb/af9005.c
> @@ -554,7 +554,7 @@ static int af9005_boot_packet(struct usb_device *udev, int type, u8 *reply,
>  			      u8 *buf, int size)
>  {
>  	u16 checksum;
> -	int act_len, i, ret;
> +	int act_len = 0, i, ret;
>  
>  	memset(buf, 0, size);
>  	buf[0] = (u8) (FW_BULKOUT_SIZE & 0xff);
> -- 
> 2.24.0

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH 3/5] dvb-usb/vp7045: initialize br[]
  2019-11-12  9:22 ` [PATCH 3/5] dvb-usb/vp7045: initialize br[] Hans Verkuil
@ 2019-11-12  9:50   ` Sean Young
  0 siblings, 0 replies; 10+ messages in thread
From: Sean Young @ 2019-11-12  9:50 UTC (permalink / raw)
  To: Hans Verkuil; +Cc: linux-media, syzbot+ec869945d3dde5f33b43

On Tue, Nov 12, 2019 at 10:22:26AM +0100, Hans Verkuil wrote:
> The br[] array was uninitialized, leading to a syzbot error.
> 
> Syzbot link:
> 
> https://syzkaller.appspot.com/bug?extid=ec869945d3dde5f33b43
> 
> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
> Reported-by: syzbot+ec869945d3dde5f33b43@syzkaller.appspotmail.com
> CC: Sean Young <sean@mess.org>
> ---

The value is unintialized because the usb transfer failed. My solution
actually returns an error.

https://patchwork.linuxtv.org/patch/59985/

Note that in both cases the error won't be fatal, but should be reported.

Sean

>  drivers/media/usb/dvb-usb/vp7045.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/media/usb/dvb-usb/vp7045.c b/drivers/media/usb/dvb-usb/vp7045.c
> index 80c1cf05384b..3e87adca5be9 100644
> --- a/drivers/media/usb/dvb-usb/vp7045.c
> +++ b/drivers/media/usb/dvb-usb/vp7045.c
> @@ -116,7 +116,7 @@ static int vp7045_rc_query(struct dvb_usb_device *d)
>  static int vp7045_read_eeprom(struct dvb_usb_device *d,u8 *buf, int len, int offset)
>  {
>  	int i = 0;
> -	u8 v,br[2];
> +	u8 v, br[2] = { 0 };
>  	for (i=0; i < len; i++) {
>  		v = offset + i;
>  		vp7045_usb_op(d,GET_EE_VALUE,&v,1,br,2,5);
> -- 
> 2.24.0

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH 4/5] dvb-usb/digitv: initialize key[]
  2019-11-12  9:22 ` [PATCH 4/5] dvb-usb/digitv: initialize key[] Hans Verkuil
@ 2019-11-12  9:51   ` Sean Young
  0 siblings, 0 replies; 10+ messages in thread
From: Sean Young @ 2019-11-12  9:51 UTC (permalink / raw)
  To: Hans Verkuil; +Cc: linux-media, syzbot+6bf9606ee955b646c0e1

On Tue, Nov 12, 2019 at 10:22:27AM +0100, Hans Verkuil wrote:
> The key array was not initialized to 0, leading to a syzbot failure.
> 
> Syzbot link:
> 
> https://syzkaller.appspot.com/bug?extid=6bf9606ee955b646c0e1
> 
> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
> Reported-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
> CC: Sean Young <sean@mess.org>

Same as:

https://patchwork.linuxtv.org/patch/59984/

Sean
> ---
>  drivers/media/usb/dvb-usb/digitv.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c
> index dd5bb230cec1..72b22409880a 100644
> --- a/drivers/media/usb/dvb-usb/digitv.c
> +++ b/drivers/media/usb/dvb-usb/digitv.c
> @@ -231,7 +231,7 @@ static struct rc_map_table rc_map_digitv_table[] = {
>  static int digitv_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
>  {
>  	int i;
> -	u8 key[5];
> +	u8 key[5] = { 0 };
>  	u8 b[4] = { 0 };
>  
>  	*event = 0;
> -- 
> 2.24.0

^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH 5/5] dvb-usb/dvb-usb-urb.c: initialize actlen to 0
  2019-11-12  9:22 ` [PATCH 5/5] dvb-usb/dvb-usb-urb.c: initialize actlen to 0 Hans Verkuil
@ 2019-11-12  9:53   ` Sean Young
  0 siblings, 0 replies; 10+ messages in thread
From: Sean Young @ 2019-11-12  9:53 UTC (permalink / raw)
  To: Hans Verkuil; +Cc: linux-media, syzbot+6bf9606ee955b646c0e1

On Tue, Nov 12, 2019 at 10:22:28AM +0100, Hans Verkuil wrote:
> This fixes a syzbot failure since actlen could be uninitialized,
> but it was still used.
> 
> Syzbot link:
> 
> https://syzkaller.appspot.com/bug?extid=6bf9606ee955b646c0e1
> 
> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
> Reported-and-tested-by: syzbot+6bf9606ee955b646c0e1@syzkaller.appspotmail.com
> CC: Sean Young <sean@mess.org>

Thanks, looks good.

Acked-by: Sean Young <sean@mess.org>

Sean

> ---
>  drivers/media/usb/dvb-usb/dvb-usb-urb.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/media/usb/dvb-usb/dvb-usb-urb.c b/drivers/media/usb/dvb-usb/dvb-usb-urb.c
> index c1b4e94a37f8..2aabf90d8697 100644
> --- a/drivers/media/usb/dvb-usb/dvb-usb-urb.c
> +++ b/drivers/media/usb/dvb-usb/dvb-usb-urb.c
> @@ -12,7 +12,7 @@
>  int dvb_usb_generic_rw(struct dvb_usb_device *d, u8 *wbuf, u16 wlen, u8 *rbuf,
>  	u16 rlen, int delay_ms)
>  {
> -	int actlen,ret = -ENOMEM;
> +	int actlen = 0, ret = -ENOMEM;
>  
>  	if (!d || wbuf == NULL || wlen == 0)
>  		return -EINVAL;
> -- 
> 2.24.0

^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2019-11-12  9:53 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-12  9:22 [PATCH 0/5] Fix various syzbot errors Hans Verkuil
2019-11-12  9:22 ` [PATCH 1/5] gspca: zero usb_buf Hans Verkuil
2019-11-12  9:22 ` [PATCH 2/5] dvb-usb/af9005: initialize act_len Hans Verkuil
2019-11-12  9:49   ` Sean Young
2019-11-12  9:22 ` [PATCH 3/5] dvb-usb/vp7045: initialize br[] Hans Verkuil
2019-11-12  9:50   ` Sean Young
2019-11-12  9:22 ` [PATCH 4/5] dvb-usb/digitv: initialize key[] Hans Verkuil
2019-11-12  9:51   ` Sean Young
2019-11-12  9:22 ` [PATCH 5/5] dvb-usb/dvb-usb-urb.c: initialize actlen to 0 Hans Verkuil
2019-11-12  9:53   ` Sean Young

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.