From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com,
Rajeshwar R Shinde <coolrrsh@gmail.com>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 23/57] media: gspca: cpia1: shift-out-of-bounds in set_flicker
Date: Fri, 24 Nov 2023 17:50:47 +0000 [thread overview]
Message-ID: <20231124171931.124237637@linuxfoundation.org> (raw)
In-Reply-To: <20231124171930.281665051@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rajeshwar R Shinde <coolrrsh@gmail.com>
[ Upstream commit 099be1822d1f095433f4b08af9cc9d6308ec1953 ]
Syzkaller reported the following issue:
UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27
shift exponent 245 is too large for 32-bit type 'int'
When the value of the variable "sd->params.exposure.gain" exceeds the
number of bits in an integer, a shift-out-of-bounds error is reported. It
is triggered because the variable "currentexp" cannot be left-shifted by
more than the number of bits in an integer. In order to avoid invalid
range during left-shift, the conditional expression is added.
Reported-by: syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/20230818164522.12806-1-coolrrsh@gmail.com
Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73
Signed-off-by: Rajeshwar R Shinde <coolrrsh@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/gspca/cpia1.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c
index e91d00762e94b..bf34479a87cc5 100644
--- a/drivers/media/usb/gspca/cpia1.c
+++ b/drivers/media/usb/gspca/cpia1.c
@@ -28,6 +28,7 @@
#include <linux/input.h>
#include <linux/sched/signal.h>
+#include <linux/bitops.h>
#include "gspca.h"
@@ -1032,6 +1033,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply)
sd->params.exposure.expMode = 2;
sd->exposure_status = EXPOSURE_NORMAL;
}
+ if (sd->params.exposure.gain >= BITS_PER_TYPE(currentexp))
+ return -EINVAL;
currentexp = currentexp << sd->params.exposure.gain;
sd->params.exposure.gain = 0;
/* round down current exposure to nearest value */
--
2.42.0
next prev parent reply other threads:[~2023-11-24 18:02 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-24 17:50 [PATCH 4.14 00/57] 4.14.331-rc1 review Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 01/57] locking/ww_mutex/test: Fix potential workqueue corruption Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 02/57] clocksource/drivers/timer-imx-gpt: Fix potential memory leak Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 03/57] clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 04/57] x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 05/57] wifi: mac80211: dont return unset power in ieee80211_get_tx_power() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 06/57] wifi: ath9k: fix clang-specific fortify warnings Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 07/57] wifi: ath10k: fix clang-specific fortify warning Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 08/57] net: annotate data-races around sk->sk_dst_pending_confirm Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 09/57] drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 10/57] drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 11/57] selftests/efivarfs: create-read: fix a resource leak Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 12/57] crypto: pcrypt - Fix hungtask for PADATA_RESET Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 13/57] RDMA/hfi1: Use FIELD_GET() to extract Link Width Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 14/57] fs/jfs: Add check for negative db_l2nbperpage Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 15/57] fs/jfs: Add validity check for db_maxag and db_agpref Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 16/57] jfs: fix array-index-out-of-bounds in dbFindLeaf Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 17/57] jfs: fix array-index-out-of-bounds in diAlloc Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 18/57] ALSA: hda: Fix possible null-ptr-deref when assigning a stream Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 19/57] atm: iphase: Do PCI error checks on own line Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 20/57] scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 21/57] tty: vcc: Add check for kstrdup() in vcc_probe() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 22/57] i2c: sun6i-p2wi: Prevent potential division by zero Greg Kroah-Hartman
2023-11-24 17:50 ` Greg Kroah-Hartman [this message]
2023-11-24 17:50 ` [PATCH 4.14 24/57] media: vivid: avoid integer overflow Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 25/57] gfs2: ignore negated quota changes Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 26/57] pwm: Fix double shift bug Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 27/57] media: venus: hfi: add checks to perform sanity on queue pointers Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 28/57] randstruct: Fix gcc-plugin performance mode to stay in group Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 29/57] KVM: x86: Ignore MSR_AMD64_TW_CFG access Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 30/57] audit: dont take task_lock() in audit_exe_compare() code path Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 31/57] audit: dont WARN_ON_ONCE(!current->mm) in audit_exe_compare() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 32/57] hvc/xen: fix error path in xen_hvc_init() to always register frontend driver Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 33/57] PCI/sysfs: Protect drivers D3cold preference from user space Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 34/57] parisc/power: Add power soft-off when running on qemu Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 35/57] mmc: vub300: fix an error code Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 36/57] PM: hibernate: Use __get_safe_page() rather than touching the list Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 37/57] PM: hibernate: Clean up sync_read handling in snapshot_write_next() Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 38/57] mmc: meson-gx: Remove setting of CMD_CFG_ERROR Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 39/57] genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 40/57] jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 41/57] mcb: fix error handling for different scenarios when parsing Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 42/57] s390/cmma: fix initial kernel address space page table walk Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 43/57] s390/cmma: fix handling of swapper_pg_dir and invalid_pg_dir Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 44/57] parisc: Prevent booting 64-bit kernels on PA1.x machines Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 45/57] parisc/pgtable: Do not drop upper 5 address bits of physical address Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 46/57] parisc/power: Fix power soft-off when running on qemu Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 47/57] ALSA: info: Fix potential deadlock at disconnection Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 48/57] net: dsa: lan9303: consequently nested-lock physical MDIO Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 49/57] i2c: i801: fix potential race in i801_block_transaction_byte_by_byte Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 50/57] media: sharp: fix sharp encoding Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 51/57] media: venus: hfi: fix the check to handle session buffer requirement Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 52/57] ext4: apply umask if ACL support is disabled Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 53/57] ext4: correct offset of gdb backup in non meta_bg group to update_backups Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 54/57] ext4: correct return value of ext4_convert_meta_bg Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 55/57] ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 56/57] scsi: virtio_scsi: limit number of hw queues by nr_cpu_ids Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 57/57] net: sched: fix race condition in qdisc_graft() Greg Kroah-Hartman
2023-11-24 20:51 ` [PATCH 4.14 00/57] 4.14.331-rc1 review Daniel Díaz
2023-11-25 15:40 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231124171931.124237637@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=coolrrsh@gmail.com \
--cc=hverkuil-cisco@xs4all.nl \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.