From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Arnd Bergmann <arnd@kernel.org>
Cc: Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"Lad, Prabhakar" <prabhakar.csengg@gmail.com>,
Eduardo Valentin <edubezval@gmail.com>,
Sakari Ailus <sakari.ailus@linux.intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Vaibhav Gupta <vaibhavgupta40@gmail.com>,
Liu Shixin <liushixin2@huawei.com>,
Jacopo Mondi <jacopo+renesas@jmondi.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
linux-staging@lists.linux.dev
Subject: Re: [PATCH v3 2/8] media: v4l2-core: explicitly clear ioctl input data
Date: Mon, 14 Jun 2021 19:56:03 +0300 [thread overview]
Message-ID: <YMeKI4OZrtS529BO@pendragon.ideasonboard.com> (raw)
In-Reply-To: <20210614103409.3154127-3-arnd@kernel.org>
Hi Arnd,
Thank you for the patch.
On Mon, Jun 14, 2021 at 12:34:03PM +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> As seen from a recent syzbot bug report, mistakes in the compat ioctl
> implementation can lead to uninitialized kernel stack data getting used
> as input for driver ioctl handlers.
>
> The reported bug is now fixed, but it's possible that other related
> bugs are still present or get added in the future. As the drivers need
> to check user input already, the possible impact is fairly low, but it
> might still cause an information leak.
>
> To be on the safe side, always clear the entire ioctl buffer before
> calling the conversion handler functions that are meant to initialize
> them.
>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> drivers/media/v4l2-core/v4l2-ioctl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
> index 58df927aec7e..f19e56116e53 100644
> --- a/drivers/media/v4l2-core/v4l2-ioctl.c
> +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
> @@ -3124,8 +3124,10 @@ static int video_get_user(void __user *arg, void *parg,
> if (copy_from_user(parg, (void __user *)arg, n))
> err = -EFAULT;
> } else if (in_compat_syscall()) {
> + memset(parg, 0, n);
> err = v4l2_compat_get_user(arg, parg, cmd);
> } else {
> + memset(parg, 0, n);
This could possibly be moved with the #if block by making it cover the
whole switch, but I don't think this code path will be hit when cmd
isn't one of the values handled below, so it shouldn't matter.
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> switch (cmd) {
> #if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME)
> case VIDIOC_QUERYBUF_TIME32:
--
Regards,
Laurent Pinchart
next prev parent reply other threads:[~2021-06-14 16:56 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-14 10:34 [PATCH v3 0/7] media: v4l2: compat ioctl fixes Arnd Bergmann
2021-06-14 10:34 ` [PATCH v3 1/8] media: v4l2-core: ignore native time32 ioctls on 64-bit Arnd Bergmann
2021-06-14 13:24 ` Andy Shevchenko
2021-06-14 16:50 ` Laurent Pinchart
2021-06-14 10:34 ` [PATCH v3 2/8] media: v4l2-core: explicitly clear ioctl input data Arnd Bergmann
2021-06-14 16:56 ` Laurent Pinchart [this message]
2021-06-14 10:34 ` [PATCH v3 3/8] media: v4l2-core: fix whitespace damage in video_get_user() Arnd Bergmann
2021-06-14 16:58 ` Laurent Pinchart
2021-06-14 10:34 ` [PATCH v3 4/8] media: subdev: remove VIDIOC_DQEVENT_TIME32 handling Arnd Bergmann
2021-06-14 17:02 ` Laurent Pinchart
2021-06-15 8:43 ` Arnd Bergmann
2021-06-15 8:48 ` Hans Verkuil
2021-06-15 9:30 ` Arnd Bergmann
2021-06-14 10:34 ` [PATCH v3 5/8] media: v4l2-core: return -ENODEV from ioctl when not registered Arnd Bergmann
2021-06-14 17:04 ` Laurent Pinchart
2021-06-14 17:04 ` Laurent Pinchart
2021-06-14 10:34 ` [PATCH v3 6/8] media: atomisp: remove compat_ioctl32 code Arnd Bergmann
2021-06-14 17:07 ` Laurent Pinchart
2021-06-14 10:34 ` [PATCH v3 7/8] media: subdev: fix compat_ioctl32 Arnd Bergmann
2021-06-14 17:18 ` Laurent Pinchart
2021-06-15 8:26 ` Hans Verkuil
2021-06-15 8:39 ` Arnd Bergmann
2021-06-14 10:34 ` [PATCH v3 8/8] media: subdev: disallow ioctl for saa6588/davinci Arnd Bergmann
2021-06-14 17:21 ` Laurent Pinchart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YMeKI4OZrtS529BO@pendragon.ideasonboard.com \
--to=laurent.pinchart@ideasonboard.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=arnd@arndb.de \
--cc=arnd@kernel.org \
--cc=edubezval@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hverkuil-cisco@xs4all.nl \
--cc=jacopo+renesas@jmondi.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=liushixin2@huawei.com \
--cc=mchehab@kernel.org \
--cc=prabhakar.csengg@gmail.com \
--cc=sakari.ailus@linux.intel.com \
--cc=vaibhavgupta40@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.