* [PATCH v2 1/2] media: uvcvideo: Avoid invalid memory access
@ 2021-12-01 5:22 Ricardo Ribalda
2021-12-01 5:22 ` [PATCH v2 2/2] media: uvcvideo: Avoid returning invalid controls Ricardo Ribalda
2021-12-01 5:42 ` [PATCH v2 1/2] media: uvcvideo: Avoid invalid memory access Laurent Pinchart
0 siblings, 2 replies; 3+ messages in thread
From: Ricardo Ribalda @ 2021-12-01 5:22 UTC (permalink / raw)
To: Laurent Pinchart, Mauro Carvalho Chehab, Hans Verkuil,
linux-media, linux-kernel
Cc: Ricardo Ribalda
If mappings points to an invalid memory, we will be invalid accessing
it.
Solve it by initializing the value of the variable mapping and by
changing the order in the conditional statement (to avoid accessing
mapping->id if not needed).
Fix:
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI
Fixes: 6350d6a4ed487 ("media: uvcvideo: Set error_idx during ctrl_commit errors")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
drivers/media/usb/uvc/uvc_ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
index 30bfe9069a1f..9a25d6029255 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1638,7 +1638,7 @@ static int uvc_ctrl_find_ctrl_idx(struct uvc_entity *entity,
struct v4l2_ext_controls *ctrls,
struct uvc_control *uvc_control)
{
- struct uvc_control_mapping *mapping;
+ struct uvc_control_mapping *mapping = NULL;
struct uvc_control *ctrl_found;
unsigned int i;
--
2.34.0.rc2.393.gf8c9666880-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH v2 2/2] media: uvcvideo: Avoid returning invalid controls
2021-12-01 5:22 [PATCH v2 1/2] media: uvcvideo: Avoid invalid memory access Ricardo Ribalda
@ 2021-12-01 5:22 ` Ricardo Ribalda
2021-12-01 5:42 ` [PATCH v2 1/2] media: uvcvideo: Avoid invalid memory access Laurent Pinchart
1 sibling, 0 replies; 3+ messages in thread
From: Ricardo Ribalda @ 2021-12-01 5:22 UTC (permalink / raw)
To: Laurent Pinchart, Mauro Carvalho Chehab, Hans Verkuil,
linux-media, linux-kernel
Cc: Ricardo Ribalda
If the memory where ctrl_found is placed has the value of uvc_ctrl and
__uvc_find_control does not find the control we will return an invalid
index.
Fixes: 6350d6a4ed487 ("media: uvcvideo: Set error_idx during ctrl_commit errors")
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
drivers/media/usb/uvc/uvc_ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
index 9a25d6029255..b4f6edf968bc 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1639,7 +1639,7 @@ static int uvc_ctrl_find_ctrl_idx(struct uvc_entity *entity,
struct uvc_control *uvc_control)
{
struct uvc_control_mapping *mapping = NULL;
- struct uvc_control *ctrl_found;
+ struct uvc_control *ctrl_found = NULL;
unsigned int i;
if (!entity)
--
2.34.0.rc2.393.gf8c9666880-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2 1/2] media: uvcvideo: Avoid invalid memory access
2021-12-01 5:22 [PATCH v2 1/2] media: uvcvideo: Avoid invalid memory access Ricardo Ribalda
2021-12-01 5:22 ` [PATCH v2 2/2] media: uvcvideo: Avoid returning invalid controls Ricardo Ribalda
@ 2021-12-01 5:42 ` Laurent Pinchart
1 sibling, 0 replies; 3+ messages in thread
From: Laurent Pinchart @ 2021-12-01 5:42 UTC (permalink / raw)
To: Ricardo Ribalda
Cc: Mauro Carvalho Chehab, Hans Verkuil, linux-media, linux-kernel
Hi Ricardo,
Thank you for the patch.
On Wed, Dec 01, 2021 at 06:22:17AM +0100, Ricardo Ribalda wrote:
> If mappings points to an invalid memory, we will be invalid accessing
> it.
I'll reflow the commit message.
> Solve it by initializing the value of the variable mapping and by
> changing the order in the conditional statement (to avoid accessing
> mapping->id if not needed).
>
> Fix:
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI
>
> Fixes: 6350d6a4ed487 ("media: uvcvideo: Set error_idx during ctrl_commit errors")
> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> ---
> drivers/media/usb/uvc/uvc_ctrl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
> index 30bfe9069a1f..9a25d6029255 100644
> --- a/drivers/media/usb/uvc/uvc_ctrl.c
> +++ b/drivers/media/usb/uvc/uvc_ctrl.c
> @@ -1638,7 +1638,7 @@ static int uvc_ctrl_find_ctrl_idx(struct uvc_entity *entity,
> struct v4l2_ext_controls *ctrls,
> struct uvc_control *uvc_control)
> {
> - struct uvc_control_mapping *mapping;
> + struct uvc_control_mapping *mapping = NULL;
> struct uvc_control *ctrl_found;
> unsigned int i;
>
--
Regards,
Laurent Pinchart
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-12-01 5:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-01 5:22 [PATCH v2 1/2] media: uvcvideo: Avoid invalid memory access Ricardo Ribalda
2021-12-01 5:22 ` [PATCH v2 2/2] media: uvcvideo: Avoid returning invalid controls Ricardo Ribalda
2021-12-01 5:42 ` [PATCH v2 1/2] media: uvcvideo: Avoid invalid memory access Laurent Pinchart
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.