From: coolrrsh@gmail.com To: hverkuil@xs4all.nl, mchehab@kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Cc: linux-kernel-mentees@lists.linuxfoundation.org, Rajeshwar R Shinde <coolrrsh@gmail.com>, syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com Subject: [PATCH v2] UBSAN: shift-out-of-bounds in set_flicker Date: Mon, 21 Aug 2023 13:45:59 +0530 [thread overview] Message-ID: <20230821081559.13807-1-coolrrsh@gmail.com> (raw) From: Rajeshwar R Shinde <coolrrsh@gmail.com> UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27 shift exponent 245 is too large for 32-bit type 'int' shift-out-of-bounds error was triggered when variable 'sd->params.exposure.gain' is greater than the number of bits of int. When the variable 'currentexp' is left shifted beyond 31 bits then the error is produced. Therefore added the conditional expression to verify valid range. Tested via syzbot. Reported-by: syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/20230818164522.12806-1- coolrrsh@gmail.com/ Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73 Signed-off-by: Rajeshwar R Shinde <coolrrsh@gmail.com> --- v1->v2 changed the patch changed commit message and tested with checkpatch --- drivers/media/usb/gspca/cpia1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c index 46ed95483e22..dafc522d5e7b 100644 --- a/drivers/media/usb/gspca/cpia1.c +++ b/drivers/media/usb/gspca/cpia1.c @@ -1028,6 +1028,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply) sd->params.exposure.expMode = 2; sd->exposure_status = EXPOSURE_NORMAL; } + if (sd->params.exposure.gain > 31) + return -1; currentexp = currentexp << sd->params.exposure.gain; sd->params.exposure.gain = 0; /* round down current exposure to nearest value */ -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: coolrrsh@gmail.com To: hverkuil@xs4all.nl, mchehab@kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Cc: linux-kernel-mentees@lists.linuxfoundation.org, syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com Subject: [PATCH v2] UBSAN: shift-out-of-bounds in set_flicker Date: Mon, 21 Aug 2023 13:45:59 +0530 [thread overview] Message-ID: <20230821081559.13807-1-coolrrsh@gmail.com> (raw) From: Rajeshwar R Shinde <coolrrsh@gmail.com> UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27 shift exponent 245 is too large for 32-bit type 'int' shift-out-of-bounds error was triggered when variable 'sd->params.exposure.gain' is greater than the number of bits of int. When the variable 'currentexp' is left shifted beyond 31 bits then the error is produced. Therefore added the conditional expression to verify valid range. Tested via syzbot. Reported-by: syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/20230818164522.12806-1- coolrrsh@gmail.com/ Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73 Signed-off-by: Rajeshwar R Shinde <coolrrsh@gmail.com> --- v1->v2 changed the patch changed commit message and tested with checkpatch --- drivers/media/usb/gspca/cpia1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c index 46ed95483e22..dafc522d5e7b 100644 --- a/drivers/media/usb/gspca/cpia1.c +++ b/drivers/media/usb/gspca/cpia1.c @@ -1028,6 +1028,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply) sd->params.exposure.expMode = 2; sd->exposure_status = EXPOSURE_NORMAL; } + if (sd->params.exposure.gain > 31) + return -1; currentexp = currentexp << sd->params.exposure.gain; sd->params.exposure.gain = 0; /* round down current exposure to nearest value */ -- 2.25.1 _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next reply other threads:[~2023-08-21 8:16 UTC|newest] Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-08-21 8:15 coolrrsh [this message] 2023-08-21 8:15 ` [PATCH v2] UBSAN: shift-out-of-bounds in set_flicker coolrrsh 2023-08-24 7:06 coolrrsh 2023-08-24 7:06 ` coolrrsh 2023-08-24 7:13 ` Greg KH 2023-08-24 7:13 ` Greg KH 2023-08-24 7:19 ` Hans Verkuil 2023-08-24 7:19 ` Hans Verkuil
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230821081559.13807-1-coolrrsh@gmail.com \ --to=coolrrsh@gmail.com \ --cc=hverkuil@xs4all.nl \ --cc=linux-kernel-mentees@lists.linuxfoundation.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-media@vger.kernel.org \ --cc=mchehab@kernel.org \ --cc=syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.