All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH][next] media: v4l2-core: fix uninitialized structure fields being returned to userspace
@ 2020-01-07 14:02 ` Colin King
  0 siblings, 0 replies; 4+ messages in thread
From: Colin King @ 2020-01-07 14:02 UTC (permalink / raw)
  To: Mauro Carvalho Chehab, Hans Verkuil, Arnd Bergmann, linux-media
  Cc: kernel-janitors, linux-kernel

From: Colin Ian King <colin.king@canonical.com>

In the case where v4l2_event_dequeue fails the structure ev is not
being filled and this garbage data from the stack is being copied
to the ev32 structure and being copied back to userspace on the
VIDIOC_DQEVENT_TIME32 ioctl.  Fix this by ensuring the ev structure
is zero'd to ensure uninitialized data is not leaked back.

Addresses-Coverity: ("Uninitialized scalar variable")
Fixes: 1a6c0b36dd19 ("media: v4l2-core: fix VIDIOC_DQEVENT for time64 ABI")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/media/v4l2-core/v4l2-subdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c
index de926e311348..a376b351135f 100644
--- a/drivers/media/v4l2-core/v4l2-subdev.c
+++ b/drivers/media/v4l2-core/v4l2-subdev.c
@@ -394,7 +394,7 @@ static long subdev_do_ioctl(struct file *file, unsigned int cmd, void *arg)
 
 	case VIDIOC_DQEVENT_TIME32: {
 		struct v4l2_event_time32 *ev32 = arg;
-		struct v4l2_event ev;
+		struct v4l2_event ev = { };
 
 		if (!(sd->flags & V4L2_SUBDEV_FL_HAS_EVENTS))
 			return -ENOIOCTLCMD;
-- 
2.24.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH][next] media: v4l2-core: fix uninitialized structure fields being returned to userspace
@ 2020-01-07 14:02 ` Colin King
  0 siblings, 0 replies; 4+ messages in thread
From: Colin King @ 2020-01-07 14:02 UTC (permalink / raw)
  To: Mauro Carvalho Chehab, Hans Verkuil, Arnd Bergmann, linux-media
  Cc: kernel-janitors, linux-kernel

From: Colin Ian King <colin.king@canonical.com>

In the case where v4l2_event_dequeue fails the structure ev is not
being filled and this garbage data from the stack is being copied
to the ev32 structure and being copied back to userspace on the
VIDIOC_DQEVENT_TIME32 ioctl.  Fix this by ensuring the ev structure
is zero'd to ensure uninitialized data is not leaked back.

Addresses-Coverity: ("Uninitialized scalar variable")
Fixes: 1a6c0b36dd19 ("media: v4l2-core: fix VIDIOC_DQEVENT for time64 ABI")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/media/v4l2-core/v4l2-subdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c
index de926e311348..a376b351135f 100644
--- a/drivers/media/v4l2-core/v4l2-subdev.c
+++ b/drivers/media/v4l2-core/v4l2-subdev.c
@@ -394,7 +394,7 @@ static long subdev_do_ioctl(struct file *file, unsigned int cmd, void *arg)
 
 	case VIDIOC_DQEVENT_TIME32: {
 		struct v4l2_event_time32 *ev32 = arg;
-		struct v4l2_event ev;
+		struct v4l2_event ev = { };
 
 		if (!(sd->flags & V4L2_SUBDEV_FL_HAS_EVENTS))
 			return -ENOIOCTLCMD;
-- 
2.24.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH][next] media: v4l2-core: fix uninitialized structure fields being returned to userspace
  2020-01-07 14:02 ` Colin King
@ 2020-01-07 14:17   ` Arnd Bergmann
  -1 siblings, 0 replies; 4+ messages in thread
From: Arnd Bergmann @ 2020-01-07 14:17 UTC (permalink / raw)
  To: Colin King
  Cc: Mauro Carvalho Chehab, Hans Verkuil, Linux Media Mailing List,
	kernel-janitors, linux-kernel

On Tue, Jan 7, 2020 at 3:02 PM Colin King <colin.king@canonical.com> wrote:
>
> From: Colin Ian King <colin.king@canonical.com>
>
> In the case where v4l2_event_dequeue fails the structure ev is not
> being filled and this garbage data from the stack is being copied
> to the ev32 structure and being copied back to userspace on the
> VIDIOC_DQEVENT_TIME32 ioctl.  Fix this by ensuring the ev structure
> is zero'd to ensure uninitialized data is not leaked back.
>
> Addresses-Coverity: ("Uninitialized scalar variable")
> Fixes: 1a6c0b36dd19 ("media: v4l2-core: fix VIDIOC_DQEVENT for time64 ABI")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>

Good catch, thanks for fixing!

Acked-by: Arnd Bergmann <arnd@arndb.de>

> ---
>  drivers/media/v4l2-core/v4l2-subdev.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c
> index de926e311348..a376b351135f 100644
> --- a/drivers/media/v4l2-core/v4l2-subdev.c
> +++ b/drivers/media/v4l2-core/v4l2-subdev.c
> @@ -394,7 +394,7 @@ static long subdev_do_ioctl(struct file *file, unsigned int cmd, void *arg)
>
>         case VIDIOC_DQEVENT_TIME32: {
>                 struct v4l2_event_time32 *ev32 = arg;
> -               struct v4l2_event ev;
> +               struct v4l2_event ev = { };
>
>                 if (!(sd->flags & V4L2_SUBDEV_FL_HAS_EVENTS))
>                         return -ENOIOCTLCMD;
> --
> 2.24.0
>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH][next] media: v4l2-core: fix uninitialized structure fields being returned to userspace
@ 2020-01-07 14:17   ` Arnd Bergmann
  0 siblings, 0 replies; 4+ messages in thread
From: Arnd Bergmann @ 2020-01-07 14:17 UTC (permalink / raw)
  To: Colin King
  Cc: Mauro Carvalho Chehab, Hans Verkuil, Linux Media Mailing List,
	kernel-janitors, linux-kernel

On Tue, Jan 7, 2020 at 3:02 PM Colin King <colin.king@canonical.com> wrote:
>
> From: Colin Ian King <colin.king@canonical.com>
>
> In the case where v4l2_event_dequeue fails the structure ev is not
> being filled and this garbage data from the stack is being copied
> to the ev32 structure and being copied back to userspace on the
> VIDIOC_DQEVENT_TIME32 ioctl.  Fix this by ensuring the ev structure
> is zero'd to ensure uninitialized data is not leaked back.
>
> Addresses-Coverity: ("Uninitialized scalar variable")
> Fixes: 1a6c0b36dd19 ("media: v4l2-core: fix VIDIOC_DQEVENT for time64 ABI")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>

Good catch, thanks for fixing!

Acked-by: Arnd Bergmann <arnd@arndb.de>

> ---
>  drivers/media/v4l2-core/v4l2-subdev.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c
> index de926e311348..a376b351135f 100644
> --- a/drivers/media/v4l2-core/v4l2-subdev.c
> +++ b/drivers/media/v4l2-core/v4l2-subdev.c
> @@ -394,7 +394,7 @@ static long subdev_do_ioctl(struct file *file, unsigned int cmd, void *arg)
>
>         case VIDIOC_DQEVENT_TIME32: {
>                 struct v4l2_event_time32 *ev32 = arg;
> -               struct v4l2_event ev;
> +               struct v4l2_event ev = { };
>
>                 if (!(sd->flags & V4L2_SUBDEV_FL_HAS_EVENTS))
>                         return -ENOIOCTLCMD;
> --
> 2.24.0
>

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-01-07 14:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-07 14:02 [PATCH][next] media: v4l2-core: fix uninitialized structure fields being returned to userspace Colin King
2020-01-07 14:02 ` Colin King
2020-01-07 14:17 ` Arnd Bergmann
2020-01-07 14:17   ` Arnd Bergmann

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.