From: coolrrsh@gmail.com
To: hverkuil@xs4all.nl, mchehab@kernel.org,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: linux-kernel-mentees@lists.linuxfoundation.org,
Rajeshwar R Shinde <coolrrsh@gmail.com>,
syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com
Subject: [PATCH v2] UBSAN: shift-out-of-bounds in set_flicker
Date: Mon, 21 Aug 2023 13:45:59 +0530 [thread overview]
Message-ID: <20230821081559.13807-1-coolrrsh@gmail.com> (raw)
From: Rajeshwar R Shinde <coolrrsh@gmail.com>
UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27
shift exponent 245 is too large for 32-bit type 'int'
shift-out-of-bounds error was triggered when variable
'sd->params.exposure.gain' is greater than the number of bits of int.
When the variable 'currentexp' is left shifted beyond 31 bits then
the error is produced. Therefore added the conditional expression to
verify valid range.
Tested via syzbot.
Reported-by: syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/20230818164522.12806-1-
coolrrsh@gmail.com/
Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73
Signed-off-by: Rajeshwar R Shinde <coolrrsh@gmail.com>
---
v1->v2
changed the patch
changed commit message and tested with checkpatch
---
drivers/media/usb/gspca/cpia1.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c
index 46ed95483e22..dafc522d5e7b 100644
--- a/drivers/media/usb/gspca/cpia1.c
+++ b/drivers/media/usb/gspca/cpia1.c
@@ -1028,6 +1028,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply)
sd->params.exposure.expMode = 2;
sd->exposure_status = EXPOSURE_NORMAL;
}
+ if (sd->params.exposure.gain > 31)
+ return -1;
currentexp = currentexp << sd->params.exposure.gain;
sd->params.exposure.gain = 0;
/* round down current exposure to nearest value */
--
2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: coolrrsh@gmail.com
To: hverkuil@xs4all.nl, mchehab@kernel.org,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: linux-kernel-mentees@lists.linuxfoundation.org,
syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com
Subject: [PATCH v2] UBSAN: shift-out-of-bounds in set_flicker
Date: Mon, 21 Aug 2023 13:45:59 +0530 [thread overview]
Message-ID: <20230821081559.13807-1-coolrrsh@gmail.com> (raw)
From: Rajeshwar R Shinde <coolrrsh@gmail.com>
UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27
shift exponent 245 is too large for 32-bit type 'int'
shift-out-of-bounds error was triggered when variable
'sd->params.exposure.gain' is greater than the number of bits of int.
When the variable 'currentexp' is left shifted beyond 31 bits then
the error is produced. Therefore added the conditional expression to
verify valid range.
Tested via syzbot.
Reported-by: syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/20230818164522.12806-1-
coolrrsh@gmail.com/
Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73
Signed-off-by: Rajeshwar R Shinde <coolrrsh@gmail.com>
---
v1->v2
changed the patch
changed commit message and tested with checkpatch
---
drivers/media/usb/gspca/cpia1.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c
index 46ed95483e22..dafc522d5e7b 100644
--- a/drivers/media/usb/gspca/cpia1.c
+++ b/drivers/media/usb/gspca/cpia1.c
@@ -1028,6 +1028,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply)
sd->params.exposure.expMode = 2;
sd->exposure_status = EXPOSURE_NORMAL;
}
+ if (sd->params.exposure.gain > 31)
+ return -1;
currentexp = currentexp << sd->params.exposure.gain;
sd->params.exposure.gain = 0;
/* round down current exposure to nearest value */
--
2.25.1
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next reply other threads:[~2023-08-21 8:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-21 8:15 coolrrsh [this message]
2023-08-21 8:15 ` [PATCH v2] UBSAN: shift-out-of-bounds in set_flicker coolrrsh
2023-08-24 7:06 coolrrsh
2023-08-24 7:06 ` coolrrsh
2023-08-24 7:13 ` Greg KH
2023-08-24 7:13 ` Greg KH
2023-08-24 7:19 ` Hans Verkuil
2023-08-24 7:19 ` Hans Verkuil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230821081559.13807-1-coolrrsh@gmail.com \
--to=coolrrsh@gmail.com \
--cc=hverkuil@xs4all.nl \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.