From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hans Verkuil <hverkuil-cisco@xs4all.nl>,
syzbot+4f021cf3697781dbd9fb@syzkaller.appspotmail.com,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Subject: [PATCH 4.9 14/30] media: v4l2-ctrls.c/uvc: zero v4l2_event
Date: Tue, 26 Mar 2019 15:29:53 +0900 [thread overview]
Message-ID: <20190326042608.056154498@linuxfoundation.org> (raw)
In-Reply-To: <20190326042607.558087893@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil@xs4all.nl>
commit f45f3f753b0a3d739acda8e311b4f744d82dc52a upstream.
Control events can leak kernel memory since they do not fully zero the
event. The same code is present in both v4l2-ctrls.c and uvc_ctrl.c, so
fix both.
It appears that all other event code is properly zeroing the structure,
it's these two places.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: syzbot+4f021cf3697781dbd9fb@syzkaller.appspotmail.com
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_ctrl.c | 2 +-
drivers/media/v4l2-core/v4l2-ctrls.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1203,7 +1203,7 @@ static void uvc_ctrl_fill_event(struct u
__uvc_query_v4l2_ctrl(chain, ctrl, mapping, &v4l2_ctrl);
- memset(ev->reserved, 0, sizeof(ev->reserved));
+ memset(ev, 0, sizeof(*ev));
ev->type = V4L2_EVENT_CTRL;
ev->id = v4l2_ctrl.id;
ev->u.ctrl.value = value;
--- a/drivers/media/v4l2-core/v4l2-ctrls.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls.c
@@ -1231,7 +1231,7 @@ static u32 user_flags(const struct v4l2_
static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32 changes)
{
- memset(ev->reserved, 0, sizeof(ev->reserved));
+ memset(ev, 0, sizeof(*ev));
ev->type = V4L2_EVENT_CTRL;
ev->id = ctrl->id;
ev->u.ctrl.changes = changes;
next prev parent reply other threads:[~2019-03-26 6:47 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-26 6:29 [PATCH 4.9 00/30] 4.9.166-stable review Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 01/30] mmc: pxamci: fix enum type confusion Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 02/30] drm/vmwgfx: Dont double-free the mode stored in par->set_mode Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 03/30] iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 04/30] libceph: wait for latest osdmap in ceph_monc_blacklist_add() Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 05/30] udf: Fix crash on IO error during truncate Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 06/30] mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 07/30] MIPS: Ensure ELF appended dtb is relocated Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 08/30] MIPS: Fix kernel crash for R6 in jump label branch function Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 09/30] futex: Ensure that futex address is aligned in handle_futex_death() Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 10/30] objtool: Move objtool_file struct off the stack Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 11/30] ext4: fix NULL pointer dereference while journal is aborted Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 12/30] ext4: fix data corruption caused by unaligned direct AIO Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 13/30] ext4: brelse all indirect buffer in ext4_ind_remove_space() Greg Kroah-Hartman
2019-03-26 6:29 ` Greg Kroah-Hartman [this message]
2019-03-26 6:29 ` [PATCH 4.9 15/30] Bluetooth: Fix decrementing reference count twice in releasing socket Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 16/30] locking/lockdep: Add debug_locks check in __lock_downgrade() Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 17/30] ALSA: hda - Record the current power state before suspend/resume calls Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 18/30] ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 19/30] tcp/dccp: drop SYN packets if accept queue is full Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 20/30] serial: sprd: adjust TIMEOUT to a big value Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 21/30] Hang/soft lockup in d_invalidate with simultaneous calls Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 22/30] arm64: traps: disable irq in die() Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 23/30] serial: sprd: clear timeout interrupt only rather than all interrupts Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 24/30] lib/int_sqrt: optimize small argument Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 25/30] USB: core: only clean up what we allocated Greg Kroah-Hartman
2019-03-30 17:18 ` Nathan Chancellor
2019-04-01 11:46 ` Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 26/30] scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 27/30] rtc: Fix overflow when converting time64_t to rtc_time Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 28/30] pwm-backlight: Enable/disable the PWM before/after LCD enable toggle Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 29/30] power: supply: charger-manager: Fix incorrect return value Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 30/30] ath10k: avoid possible string overflow Greg Kroah-Hartman
2019-03-26 11:41 ` [PATCH 4.9 00/30] 4.9.166-stable review Naresh Kamboju
2019-03-26 12:03 ` kernelci.org bot
2019-03-26 15:18 ` Jon Hunter
2019-03-26 17:48 ` Guenter Roeck
2019-03-26 23:16 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190326042608.056154498@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hverkuil-cisco@xs4all.nl \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+samsung@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+4f021cf3697781dbd9fb@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).