From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com,
Vandana BN <bnvandana@gmail.com>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Mauro Carvalho Chehab <mchehab+samsung@kernel.org>,
Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.9 14/97] media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
Date: Wed, 22 Jan 2020 10:28:18 +0100 [thread overview]
Message-ID: <20200122092758.179998216@linuxfoundation.org> (raw)
In-Reply-To: <20200122092755.678349497@linuxfoundation.org>
From: Vandana BN <bnvandana@gmail.com>
commit 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e upstream.
SyzKaller hit the null pointer deref while reading from uninitialized
udev->product in zr364xx_vidioc_querycap().
==================================================================
BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20
include/linux/compiler.h:274
Read of size 1 at addr 0000000000000000 by task v4l_id/5287
CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xe8/0x16e lib/dump_stack.c:113
kasan_report.cold+0x5/0x3c mm/kasan/report.c:321
read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274
strscpy+0x8a/0x280 lib/string.c:207
zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706
v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062
__video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874
video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056
v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696
ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718
do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f3b56d8b347
Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff
ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64
RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347
RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884
R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000
==================================================================
For this device udev->product is not initialized and accessing it causes a NULL pointer deref.
The fix is to check for NULL before strscpy() and copy empty string, if
product is NULL
Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com
Signed-off-by: Vandana BN <bnvandana@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 4.9: This function uses strlcpy() instead of strscpy()]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/zr364xx/zr364xx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/media/usb/zr364xx/zr364xx.c
+++ b/drivers/media/usb/zr364xx/zr364xx.c
@@ -711,7 +711,8 @@ static int zr364xx_vidioc_querycap(struc
struct zr364xx_camera *cam = video_drvdata(file);
strlcpy(cap->driver, DRIVER_DESC, sizeof(cap->driver));
- strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
+ if (cam->udev->product)
+ strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
strlcpy(cap->bus_info, dev_name(&cam->udev->dev),
sizeof(cap->bus_info));
cap->device_caps = V4L2_CAP_VIDEO_CAPTURE |
next prev parent reply other threads:[~2020-01-22 9:54 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-22 9:28 [PATCH 4.9 00/97] 4.9.211-stable review Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 01/97] hidraw: Return EPOLLOUT from hidraw_poll Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 02/97] HID: hidraw: Fix returning " Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 03/97] HID: hidraw, uhid: Always report EPOLLOUT Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 04/97] ethtool: reduce stack usage with clang Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 05/97] fs/select: avoid clang stack usage warning Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 06/97] rsi: add fix for crash during assertions Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 07/97] arm64: mm: BUG on unsupported manipulations of live kernel mappings Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 08/97] arm64: dont open code page table entry creation Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 09/97] arm64: mm: Change page table pointer name in p[md]_set_huge() Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 10/97] arm64: Enforce BBM for huge IO/VMAP mappings Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 11/97] arm64: Make sure permission updates happen for pmd/pud Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 12/97] cfg80211/mac80211: make ieee80211_send_layer2_update a public function Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 13/97] mac80211: Do not send Layer 2 Update frame before authorization Greg Kroah-Hartman
2020-01-22 9:28 ` Greg Kroah-Hartman [this message]
2020-01-22 9:28 ` [PATCH 4.9 15/97] wimax: i2400: fix memory leak Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 16/97] wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 17/97] ext4: fix use-after-free race with debug_want_extra_isize Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 18/97] ext4: add more paranoia checking in ext4_expand_extra_isize handling Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 19/97] dccp: Fix memleak in __feat_register_sp Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 20/97] rtc: mt6397: fix alarm register overwrite Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 21/97] iommu: Remove device link to group on failure Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 22/97] gpio: Fix error message on out-of-range GPIO in lookup table Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 23/97] hsr: reset network header when supervision frame is created Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 24/97] cifs: Adjust indentation in smb2_open_file Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 25/97] RDMA/srpt: Report the SCSI residual to the initiator Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 26/97] scsi: enclosure: Fix stale device oops with hot replug Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 27/97] scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 28/97] platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 29/97] iio: imu: adis16480: assign bias value only if operation succeeded Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 30/97] mei: fix modalias documentation Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 31/97] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 32/97] compat_ioctl: handle SIOCOUTQNSD Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 33/97] PCI/PTM: Remove spurious "d" from granularity message Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 34/97] powerpc/powernv: Disable native PCIe port management Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 35/97] tty: serial: imx: use the sg count from dma_map_sg Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 36/97] tty: serial: pch_uart: correct usage of dma_unmap_sg Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 37/97] media: exynos4-is: Fix recursive locking in isp_video_release() Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 38/97] mtd: spi-nor: fix silent truncation in spi_nor_read() Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 39/97] spi: atmel: fix handling of cs_change set on non-last xfer Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 40/97] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 41/97] f2fs: fix potential overflow Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 42/97] rtc: msm6242: Fix reading of 10-hour digit Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 43/97] gpio: mpc8xxx: Add platform device to gpiochip->parent Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 44/97] scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 45/97] rseq/selftests: Turn off timeout setting Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 46/97] MIPS: Prevent link failure with kcov instrumentation Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 47/97] ioat: ioat_alloc_ring() failure handling Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 48/97] hexagon: parenthesize registers in asm predicates Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 49/97] hexagon: work around compiler crash Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 50/97] ocfs2: call journal flush to mark journal as empty after journal recovery when mount Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 51/97] dt-bindings: reset: meson8b: fix duplicate reset IDs Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 52/97] clk: Dont try to enable critical clocks if prepare failed Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 53/97] ALSA: seq: Fix racy access for queue timer in proc read Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 54/97] Fix built-in early-load Intel microcode alignment Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.9 55/97] block: fix an integer overflow in logical block size Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 56/97] iio: buffer: align the size of scan bytes to size of the largest element Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 57/97] USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 58/97] USB: serial: opticon: fix control-message timeouts Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 59/97] USB: serial: suppress driver bind attributes Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 60/97] USB: serial: ch341: handle unbound port at reset_resume Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 61/97] USB: serial: io_edgeport: add missing active-port sanity check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 62/97] USB: serial: quatech2: handle unbound ports Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 63/97] scsi: mptfusion: Fix double fetch bug in ioctl Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 64/97] usb: core: hub: Improved device recognition on remote wakeup Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 65/97] x86/efistub: Disable paging at mixed mode entry Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 66/97] perf hists: Fix variable names inconsistency in hists__for_each() macro Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 67/97] perf report: Fix incorrectly added dimensions as switch perf data file Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 68/97] mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 69/97] net: stmmac: 16KB buffer must be 16 byte aligned Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 70/97] net: stmmac: Enable 16KB buffer size Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 71/97] USB: serial: io_edgeport: use irqsave() in USBs complete callback Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 72/97] USB: serial: io_edgeport: handle unbound ports on URB completion Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 73/97] USB: serial: keyspan: handle unbound ports Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 74/97] scsi: fnic: use kernels %pM format option to print MAC Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 75/97] scsi: fnic: fix invalid stack access Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 76/97] arm64: dts: agilex/stratix10: fix pmu interrupt numbers Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 77/97] cfg80211: fix page refcount issue in A-MSDU decap Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 78/97] netfilter: fix a use-after-free in mtype_destroy() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 79/97] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 80/97] batman-adv: Fix DAT candidate selection on little endian systems Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 81/97] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 82/97] net: dsa: tag_qca: fix doubled Tx statistics Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 83/97] net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 84/97] r8152: add missing endpoint sanity check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 85/97] tcp: fix marked lost packets not being retransmitted Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 86/97] net: usb: lan78xx: limit size of local TSO packets Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 87/97] xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 88/97] cw1200: Fix a signedness bug in cw1200_load_firmware() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 89/97] cfg80211: check for set_wiphy_params Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 90/97] reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 91/97] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 92/97] scsi: qla4xxx: fix double free bug Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 93/97] scsi: bnx2i: fix potential use after free Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 94/97] scsi: target: core: Fix a pr_debug() argument Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 95/97] scsi: core: scsi_trace: Use get_unaligned_be*() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 96/97] perf probe: Fix wrong address verification Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.9 97/97] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Greg Kroah-Hartman
2020-01-22 14:36 ` [PATCH 4.9 00/97] 4.9.211-stable review Naresh Kamboju
2020-01-22 14:57 ` Jon Hunter
2020-01-22 18:59 ` Guenter Roeck
2020-01-22 20:52 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200122092758.179998216@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben.hutchings@codethink.co.uk \
--cc=bnvandana@gmail.com \
--cc=hverkuil-cisco@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+samsung@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).