From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
To: Hans Verkuil <hverkuil@xs4all.nl>
Cc: Ricardo Ribalda <ribalda@chromium.org>,
linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH v2 01/13] media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl()
Date: Fri, 18 Oct 2024 08:26:54 +0200 [thread overview]
Message-ID: <20241018082654.04cae950@foz.lan> (raw)
In-Reply-To: <2caf0dfc-6d7c-4561-b126-4f3c654706fe@xs4all.nl>
Em Fri, 18 Oct 2024 08:13:01 +0200
Hans Verkuil <hverkuil@xs4all.nl> escreveu:
> On 18/10/2024 07:53, Mauro Carvalho Chehab wrote:
> > As detected by Coverity, the error check logic at get_ctrl() is
> > broken: if ptr_to_user() fails to fill a control due to an error,
> > no errors are returned and v4l2_g_ctrl() returns success on a
> > failed operation, which may cause applications to fail.
> >
> > Add an error check at get_ctrl() and ensure that it will
> > be returned to userspace without filling the control value if
> > get_ctrl() fails.
> >
> > Fixes: 71c689dc2e73 ("media: v4l2-ctrls: split up into four source files")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
> > ---
> > drivers/media/v4l2-core/v4l2-ctrls-api.c | 16 +++++++++++-----
> > 1 file changed, 11 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/media/v4l2-core/v4l2-ctrls-api.c b/drivers/media/v4l2-core/v4l2-ctrls-api.c
> > index e5a364efd5e6..a0de7eeaf085 100644
> > --- a/drivers/media/v4l2-core/v4l2-ctrls-api.c
> > +++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c
> > @@ -753,9 +753,10 @@ static int get_ctrl(struct v4l2_ctrl *ctrl, struct v4l2_ext_control *c)
> > for (i = 0; i < master->ncontrols; i++)
> > cur_to_new(master->cluster[i]);
> > ret = call_op(master, g_volatile_ctrl);
> > - new_to_user(c, ctrl);
> > + if (!ret)
> > + ret = new_to_user(c, ctrl);
> > } else {
> > - cur_to_user(c, ctrl);
> > + ret = cur_to_user(c, ctrl);
> > }
> > v4l2_ctrl_unlock(master);
> > return ret;
> > @@ -770,7 +771,10 @@ int v4l2_g_ctrl(struct v4l2_ctrl_handler *hdl, struct v4l2_control *control)
> > if (!ctrl || !ctrl->is_int)
> > return -EINVAL;
> > ret = get_ctrl(ctrl, &c);
> > - control->value = c.value;
> > +
> > + if (!ret)
> > + control->value = c.value;
> > +
> > return ret;
> > }
> > EXPORT_SYMBOL(v4l2_g_ctrl);
> > @@ -811,10 +815,12 @@ static int set_ctrl_lock(struct v4l2_fh *fh, struct v4l2_ctrl *ctrl,
> > int ret;
> >
> > v4l2_ctrl_lock(ctrl);
> > - user_to_new(c, ctrl);
> > + ret = user_to_new(c, ctrl);
> > + if (ret)
> > + return ret;
>
> A lock was taken above and that isn't unlocked here.
>
> It is better to write this as:
>
> if (!ret)
> ret = set_ctrl(fh, ctrl, 0);
>
> > ret = set_ctrl(fh, ctrl, 0);
> > if (!ret)
> > - cur_to_user(c, ctrl);
> > + ret = cur_to_user(c, ctrl);
> > v4l2_ctrl_unlock(ctrl);
> > return ret;
> > }
True. See below.
Thanks,
Mauro
-
[PATCH v3] media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl()
As detected by Coverity, the error check logic at get_ctrl() is
broken: if ptr_to_user() fails to fill a control due to an error,
no errors are returned and v4l2_g_ctrl() returns success on a
failed operation, which may cause applications to fail.
Add an error check at get_ctrl() and ensure that it will
be returned to userspace without filling the control value if
get_ctrl() fails.
Fixes: 71c689dc2e73 ("media: v4l2-ctrls: split up into four source files")
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
---
drivers/media/v4l2-core/v4l2-ctrls-api.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/media/v4l2-core/v4l2-ctrls-api.c b/drivers/media/v4l2-core/v4l2-ctrls-api.c
index e5a364efd5e6..95a2202879d8 100644
--- a/drivers/media/v4l2-core/v4l2-ctrls-api.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c
@@ -753,9 +753,10 @@ static int get_ctrl(struct v4l2_ctrl *ctrl, struct v4l2_ext_control *c)
for (i = 0; i < master->ncontrols; i++)
cur_to_new(master->cluster[i]);
ret = call_op(master, g_volatile_ctrl);
- new_to_user(c, ctrl);
+ if (!ret)
+ ret = new_to_user(c, ctrl);
} else {
- cur_to_user(c, ctrl);
+ ret = cur_to_user(c, ctrl);
}
v4l2_ctrl_unlock(master);
return ret;
@@ -770,7 +771,10 @@ int v4l2_g_ctrl(struct v4l2_ctrl_handler *hdl, struct v4l2_control *control)
if (!ctrl || !ctrl->is_int)
return -EINVAL;
ret = get_ctrl(ctrl, &c);
- control->value = c.value;
+
+ if (!ret)
+ control->value = c.value;
+
return ret;
}
EXPORT_SYMBOL(v4l2_g_ctrl);
@@ -811,10 +815,11 @@ static int set_ctrl_lock(struct v4l2_fh *fh, struct v4l2_ctrl *ctrl,
int ret;
v4l2_ctrl_lock(ctrl);
- user_to_new(c, ctrl);
- ret = set_ctrl(fh, ctrl, 0);
+ ret = user_to_new(c, ctrl);
+ if (!ret)
+ ret = set_ctrl(fh, ctrl, 0);
if (!ret)
- cur_to_user(c, ctrl);
+ ret = cur_to_user(c, ctrl);
v4l2_ctrl_unlock(ctrl);
return ret;
}
--
2.47.0
next prev parent reply other threads:[~2024-10-18 6:26 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-18 5:53 [PATCH v2 00/13] Media: fix several issues on drivers Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 01/13] media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() Mauro Carvalho Chehab
2024-10-18 6:13 ` Hans Verkuil
2024-10-18 6:26 ` Mauro Carvalho Chehab [this message]
2024-10-21 18:32 ` Dan Carpenter
2024-10-18 5:53 ` [PATCH v2 02/13] media: v4l2-tpg: prevent the risk of a division by zero Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 03/13] media: dvbdev: prevent the risk of out of memory access Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 04/13] media: dvb_frontend: don't play tricks with underflow values Mauro Carvalho Chehab
2024-10-18 11:44 ` Philipp Stanner
2024-10-18 14:37 ` Kees Cook
2024-10-18 16:02 ` Philipp Stanner
2024-10-19 6:39 ` Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 05/13] media: mgb4: protect driver against spectre Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 06/13] media: av7110: fix a spectre vulnerability Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 07/13] media: s5p-jpeg: prevent buffer overflows Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 08/13] media: ar0521: don't overflow when checking PLL values Mauro Carvalho Chehab
2024-10-18 9:53 ` Krzysztof Hałasa
2024-10-18 5:53 ` [PATCH v2 09/13] media: cx24116: prevent overflows on SNR calculus Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 10/13] media: adv7604: prevent underflow condition when reporting colorspace Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 11/13] media: stb0899_algo: initialize cfr before using it Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 12/13] media: cec: extron-da-hd-4k-plus: don't use -1 as an error code Mauro Carvalho Chehab
2024-10-18 5:53 ` [PATCH v2 13/13] media: pulse8-cec: fix data timestamp at pulse8_setup() Mauro Carvalho Chehab
-- strict thread matches above, loose matches on Subject: below --
2024-10-21 18:04 [PATCH v2 01/13] media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241018082654.04cae950@foz.lan \
--to=mchehab+huawei@kernel.org \
--cc=hverkuil@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=ribalda@chromium.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.