From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Cc: "Hans Verkuil" <hverkuil-cisco@xs4all.nl>,
"Sakari Ailus" <sakari.ailus@linux.intel.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Vandana BN" <bnvandana@gmail.com>,
"Niklas Söderlund" <niklas.soderlund+renesas@ragnatech.se>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 02/38] media: v4l2-ioctl: avoid memory leaks on some time32 compat functions
Date: Wed, 2 Sep 2020 19:26:12 +0300 [thread overview]
Message-ID: <20200902162612.GB16811@pendragon.ideasonboard.com> (raw)
In-Reply-To: <27254f9780e7ec8502761826c2888dbd51a536a8.1599062230.git.mchehab+huawei@kernel.org>
Hi Mauro,
Thank you for the patch.
On Wed, Sep 02, 2020 at 06:10:05PM +0200, Mauro Carvalho Chehab wrote:
> There are some reports about possible memory leaks:
>
> drivers/media/v4l2-core//v4l2-ioctl.c:3203 video_put_user() warn: check that 'ev32' doesn't leak information (struct has a hole after 'type')
> drivers/media/v4l2-core//v4l2-ioctl.c:3230 video_put_user() warn: check that 'vb32' doesn't leak information (struct has a hole after 'memory')
>
> While smatch seems to be reporting a false positive (line 3203),
> there's indeed a possible leak with reserved2 at vb32.
>
> We might have fixed just that one, but smatch checks won't
> be able to check leaks at ev32. So, re-work the code in a way
> that will ensure that the var contents will be zeroed before
> filling it.
>
> With that, we don't need anymore to touch reserved fields.
>
> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
> ---
> drivers/media/v4l2-core/v4l2-ioctl.c | 48 ++++++++++++++--------------
> 1 file changed, 24 insertions(+), 24 deletions(-)
>
> diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
> index a556880f225a..6f3fe9c4b64a 100644
> --- a/drivers/media/v4l2-core/v4l2-ioctl.c
> +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
> @@ -3189,17 +3189,16 @@ static int video_put_user(void __user *arg, void *parg, unsigned int cmd)
> #ifdef CONFIG_COMPAT_32BIT_TIME
> case VIDIOC_DQEVENT_TIME32: {
> struct v4l2_event *ev = parg;
> - struct v4l2_event_time32 ev32 = {
> - .type = ev->type,
> - .pending = ev->pending,
> - .sequence = ev->sequence,
> - .timestamp.tv_sec = ev->timestamp.tv_sec,
> - .timestamp.tv_nsec = ev->timestamp.tv_nsec,
> - .id = ev->id,
> - };
> + struct v4l2_event_time32 ev32;
>
> + memset(&ev32, 0, sizeof(ev32));
> + ev32.type = ev->type,
The lines should end with ';', not ','.
With this fixed,
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> + ev32.pending = ev->pending,
> + ev32.sequence = ev->sequence,
> + ev32.timestamp.tv_sec = ev->timestamp.tv_sec,
> + ev32.timestamp.tv_nsec = ev->timestamp.tv_nsec,
> + ev32.id = ev->id,
> memcpy(&ev32.u, &ev->u, sizeof(ev->u));
> - memcpy(&ev32.reserved, &ev->reserved, sizeof(ev->reserved));
>
> if (copy_to_user(arg, &ev32, sizeof(ev32)))
> return -EFAULT;
> @@ -3210,21 +3209,22 @@ static int video_put_user(void __user *arg, void *parg, unsigned int cmd)
> case VIDIOC_DQBUF_TIME32:
> case VIDIOC_PREPARE_BUF_TIME32: {
> struct v4l2_buffer *vb = parg;
> - struct v4l2_buffer_time32 vb32 = {
> - .index = vb->index,
> - .type = vb->type,
> - .bytesused = vb->bytesused,
> - .flags = vb->flags,
> - .field = vb->field,
> - .timestamp.tv_sec = vb->timestamp.tv_sec,
> - .timestamp.tv_usec = vb->timestamp.tv_usec,
> - .timecode = vb->timecode,
> - .sequence = vb->sequence,
> - .memory = vb->memory,
> - .m.userptr = vb->m.userptr,
> - .length = vb->length,
> - .request_fd = vb->request_fd,
> - };
> + struct v4l2_buffer_time32 vb32;
> +
> + memset(&vb32, 0, sizeof(vb32));
> + vb32.index = vb->index,
> + vb32.type = vb->type,
> + vb32.bytesused = vb->bytesused,
> + vb32.flags = vb->flags,
> + vb32.field = vb->field,
> + vb32.timestamp.tv_sec = vb->timestamp.tv_sec,
> + vb32.timestamp.tv_usec = vb->timestamp.tv_usec,
> + vb32.timecode = vb->timecode,
> + vb32.sequence = vb->sequence,
> + vb32.memory = vb->memory,
> + vb32.length = vb->length,
> + vb32.request_fd = vb->request_fd,
> + memcpy(&vb32.m, &vb->m, sizeof(vb->m));
>
> if (copy_to_user(arg, &vb32, sizeof(vb32)))
> return -EFAULT;
--
Regards,
Laurent Pinchart
next prev parent reply other threads:[~2020-09-02 16:27 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-02 16:10 [PATCH 00/38] media sparse/smatch warn fixes Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 01/38] media: tda10086: cleanup symbol_rate setting logic Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 02/38] media: v4l2-ioctl: avoid memory leaks on some time32 compat functions Mauro Carvalho Chehab
2020-09-02 16:26 ` Laurent Pinchart [this message]
2020-09-02 18:45 ` Arnd Bergmann
2020-09-03 6:01 ` Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 03/38] media: qt1010: fix usage of unititialized value Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 04/38] media: av7110_v4l: avoid a typecast Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 05/38] media: wl128x: get rid of a potential spectre issue Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 06/38] media: venus: place extern venus_fw_debug on a header file Mauro Carvalho Chehab
2020-09-10 10:45 ` Stanimir Varbanov
2020-09-02 16:10 ` [PATCH 07/38] media: tda10021: avoid casts when using symbol_rate Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 08/38] media: serial_ir: use the right type for a dma address Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 09/38] media: vivid: move the detection part out of vivid_create_instance Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 10/38] media: vivid: place the logic which disables ioctl on a separate function Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 11/38] media: vivid: move set_capabilities logic to " Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 12/38] media: vivid: place dt timings init code on " Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 13/38] media: vivid: move the create queues to " Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 14/38] media: vivid: move the devnode creation logic " Mauro Carvalho Chehab
2020-09-02 21:57 ` kernel test robot
2020-09-03 0:31 ` kernel test robot
2020-09-02 16:10 ` [PATCH 15/38] media: vivid: fix error path Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 16/38] media: videobuf-dma-sg: number of pages should be unsigned long Mauro Carvalho Chehab
2020-09-03 7:49 ` John Hubbard
2020-09-02 16:10 ` [PATCH 17/38] media: cx25821-alsa: " Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 18/38] media: cx23885-alsa: " Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 19/38] media: cx88-alsa: " Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 20/38] media: saa7134-alsa.c: " Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 21/38] media: dvb-ttusb-budget: don't use stack for USB transfers Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 22/38] media: dvb-ttusb-budget: cleanup printk logic Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 23/38] media: saa7134: avoid a shift overflow Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 24/38] media: atomisp: fix casts at atomisp_compat_ioctl32.c Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 25/38] media: atomisp: get rid of some unused code Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 26/38] media: atomisp: cleanup ifdefs from ia_css_debug.c Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 27/38] media: atomisp: get rid of version-dependent globals Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 28/38] media: atomisp: get rid of isys_dma.h and isys_dma_local.h Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 29/38] media: atomisp: get rid of ibuf_ctrl abstraction Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 30/38] media: atomisp: don't check for ISP version for includes Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 31/38] media: atomisp: unify INPUT error return type Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 32/38] media: atomisp: de-duplicate names at *_input_system_global.h Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 33/38] media: atomisp: reorder functions at pixelgen_private.h Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 34/38] media: atomisp: remove compile-time tests from input_system_global.h Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 35/38] media: atomisp: fix some bad indents Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 36/38] media: atomisp: csi_rx.c: add a missing includes Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 37/38] media: atomisp: atomisp_gmin_platform: check before use Mauro Carvalho Chehab
2020-09-02 16:10 ` [PATCH 38/38] media: atomisp: cleanup isys_irq headers Mauro Carvalho Chehab
2020-09-07 10:17 ` [PATCH 00/38] media sparse/smatch warn fixes Hans Verkuil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200902162612.GB16811@pendragon.ideasonboard.com \
--to=laurent.pinchart@ideasonboard.com \
--cc=arnd@arndb.de \
--cc=bnvandana@gmail.com \
--cc=hverkuil-cisco@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=niklas.soderlund+renesas@ragnatech.se \
--cc=sakari.ailus@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).