All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: hverkuil-cisco@xs4all.nl
Cc: linux-media@vger.kernel.org
Subject: [bug report] media: v4l2-ctrls: split up into four source files
Date: Mon, 7 Feb 2022 14:34:24 +0300	[thread overview]
Message-ID: <20220207113424.GA28058@kili> (raw)

[ This code is older, but it showed up as a new warning because of
  moving the files around - dan ]

Hello Hans Verkuil,

The patch 71c689dc2e73: "media: v4l2-ctrls: split up into four source
files" from Apr 27, 2021, leads to the following Smatch static
checker warning:

drivers/media/v4l2-core/v4l2-ctrls-api.c:374 v4l2_g_ext_ctrls_common() warn: uncapped user size for kvmalloc() will WARN
drivers/media/v4l2-core/v4l2-ctrls-api.c:545 try_set_ext_ctrls_common() warn: uncapped user size for kvmalloc() will WARN

drivers/media/v4l2-core/v4l2-ctrls-api.c
    351 int v4l2_g_ext_ctrls_common(struct v4l2_ctrl_handler *hdl,
    352                             struct v4l2_ext_controls *cs,
    353                             struct video_device *vdev)
    354 {
    355         struct v4l2_ctrl_helper helper[4];
    356         struct v4l2_ctrl_helper *helpers = helper;
    357         int ret;
    358         int i, j;
    359         bool is_default, is_request;
    360 
    361         is_default = (cs->which == V4L2_CTRL_WHICH_DEF_VAL);
    362         is_request = (cs->which == V4L2_CTRL_WHICH_REQUEST_VAL);
    363 
    364         cs->error_idx = cs->count;
    365         cs->which = V4L2_CTRL_ID2WHICH(cs->which);
    366 
    367         if (!hdl)
    368                 return -EINVAL;
    369 
    370         if (cs->count == 0)
    371                 return class_check(hdl, cs->which);
    372 
    373         if (cs->count > ARRAY_SIZE(helper)) {
--> 374                 helpers = kvmalloc_array(cs->count, sizeof(helper[0]),

These days if "cs->count" is larger than INT_MAX it will trigger a
WARN() because basically "people shouldn't be so trusting of user
space".  kvmalloc() used to be able to allocate more than INT_MAX but
that led to integer overflow problmes and security bugs.

This "cs->count" value comes from the user via the ioctl.  I don't know
what a sensible upper bound is though.

    375                                          GFP_KERNEL);
    376                 if (!helpers)
    377                         return -ENOMEM;
    378         }
    379 

regards,
dan carpenter

             reply	other threads:[~2022-02-07 12:50 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-07 11:34 Dan Carpenter [this message]
2022-02-07 11:50 ` [bug report] media: v4l2-ctrls: split up into four source files Hans Verkuil
2022-02-07 12:15   ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220207113424.GA28058@kili \
    --to=dan.carpenter@oracle.com \
    --cc=hverkuil-cisco@xs4all.nl \
    --cc=linux-media@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.