public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: hverkuil-cisco@xs4all.nl
Cc: linux-media@vger.kernel.org
Subject: [bug report] media: v4l2-ctrls: split up into four source files
Date: Mon, 7 Feb 2022 14:34:24 +0300	[thread overview]
Message-ID: <20220207113424.GA28058@kili> (raw)

[ This code is older, but it showed up as a new warning because of
  moving the files around - dan ]

Hello Hans Verkuil,

The patch 71c689dc2e73: "media: v4l2-ctrls: split up into four source
files" from Apr 27, 2021, leads to the following Smatch static
checker warning:

drivers/media/v4l2-core/v4l2-ctrls-api.c:374 v4l2_g_ext_ctrls_common() warn: uncapped user size for kvmalloc() will WARN
drivers/media/v4l2-core/v4l2-ctrls-api.c:545 try_set_ext_ctrls_common() warn: uncapped user size for kvmalloc() will WARN

drivers/media/v4l2-core/v4l2-ctrls-api.c
    351 int v4l2_g_ext_ctrls_common(struct v4l2_ctrl_handler *hdl,
    352                             struct v4l2_ext_controls *cs,
    353                             struct video_device *vdev)
    354 {
    355         struct v4l2_ctrl_helper helper[4];
    356         struct v4l2_ctrl_helper *helpers = helper;
    357         int ret;
    358         int i, j;
    359         bool is_default, is_request;
    360 
    361         is_default = (cs->which == V4L2_CTRL_WHICH_DEF_VAL);
    362         is_request = (cs->which == V4L2_CTRL_WHICH_REQUEST_VAL);
    363 
    364         cs->error_idx = cs->count;
    365         cs->which = V4L2_CTRL_ID2WHICH(cs->which);
    366 
    367         if (!hdl)
    368                 return -EINVAL;
    369 
    370         if (cs->count == 0)
    371                 return class_check(hdl, cs->which);
    372 
    373         if (cs->count > ARRAY_SIZE(helper)) {
--> 374                 helpers = kvmalloc_array(cs->count, sizeof(helper[0]),

These days if "cs->count" is larger than INT_MAX it will trigger a
WARN() because basically "people shouldn't be so trusting of user
space".  kvmalloc() used to be able to allocate more than INT_MAX but
that led to integer overflow problmes and security bugs.

This "cs->count" value comes from the user via the ioctl.  I don't know
what a sensible upper bound is though.

    375                                          GFP_KERNEL);
    376                 if (!helpers)
    377                         return -ENOMEM;
    378         }
    379 

regards,
dan carpenter

             reply	other threads:[~2022-02-07 12:50 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-07 11:34 Dan Carpenter [this message]
2022-02-07 11:50 ` [bug report] media: v4l2-ctrls: split up into four source files Hans Verkuil
2022-02-07 12:15   ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220207113424.GA28058@kili \
    --to=dan.carpenter@oracle.com \
    --cc=hverkuil-cisco@xs4all.nl \
    --cc=linux-media@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox