From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
ionut_n2001@yahoo.com,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Sasha Levin <sashal@kernel.org>,
mchehab@kernel.org, linux-media@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 04/16] media: uvcvideo: Silence memcpy() run-time false positive warnings
Date: Fri, 3 Mar 2023 16:48:37 -0500 [thread overview]
Message-ID: <20230303214849.1454002-4-sashal@kernel.org> (raw)
In-Reply-To: <20230303214849.1454002-1-sashal@kernel.org>
From: Kees Cook <keescook@chromium.org>
[ Upstream commit b839212988575c701aab4d3d9ca15e44c87e383c ]
The memcpy() in uvc_video_decode_meta() intentionally copies across the
length and flags members and into the trailing buf flexible array.
Split the copy so that the compiler can better reason about (the lack
of) buffer overflows here. Avoid the run-time false positive warning:
memcpy: detected field-spanning write (size 12) of single field "&meta->length" at drivers/media/usb/uvc/uvc_video.c:1355 (size 1)
Additionally fix a typo in the documentation for struct uvc_meta_buf.
Reported-by: ionut_n2001@yahoo.com
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216810
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/uvc/uvc_video.c | 4 +++-
include/uapi/linux/uvcvideo.h | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
index b431f06d5a1f5..1c0249df52566 100644
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -1278,7 +1278,9 @@ static void uvc_video_decode_meta(struct uvc_streaming *stream,
if (has_scr)
memcpy(stream->clock.last_scr, scr, 6);
- memcpy(&meta->length, mem, length);
+ meta->length = mem[0];
+ meta->flags = mem[1];
+ memcpy(meta->buf, &mem[2], length - 2);
meta_buf->bytesused += length + sizeof(meta->ns) + sizeof(meta->sof);
uvc_trace(UVC_TRACE_FRAME,
diff --git a/include/uapi/linux/uvcvideo.h b/include/uapi/linux/uvcvideo.h
index f80f05b3c423f..2140923661934 100644
--- a/include/uapi/linux/uvcvideo.h
+++ b/include/uapi/linux/uvcvideo.h
@@ -86,7 +86,7 @@ struct uvc_xu_control_query {
* struct. The first two fields are added by the driver, they can be used for
* clock synchronisation. The rest is an exact copy of a UVC payload header.
* Only complete objects with complete buffers are included. Therefore it's
- * always sizeof(meta->ts) + sizeof(meta->sof) + meta->length bytes large.
+ * always sizeof(meta->ns) + sizeof(meta->sof) + meta->length bytes large.
*/
struct uvc_meta_buf {
__u64 ns;
--
2.39.2
next prev parent reply other threads:[~2023-03-03 22:01 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-03 21:48 [PATCH AUTOSEL 4.19 01/16] iommu/amd: Fix error handling for pdev_pri_ats_enable() Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 02/16] media: uvcvideo: Handle cameras with invalid descriptors Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 03/16] media: uvcvideo: Handle errors from calls to usb_string Sasha Levin
2023-03-03 21:48 ` Sasha Levin [this message]
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 05/16] tty: fix out-of-bounds access in tty_driver_lookup_tty() Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 06/16] tty: serial: fsl_lpuart: disable the CTS when send break signal Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 07/16] mei: bus-fixup:upon error print return values of send and receive Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 08/16] parport_pc: Set up mode and ECR masks for Oxford Semiconductor devices Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 09/16] tools/iio/iio_utils:fix memory leak Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 10/16] iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word() Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 11/16] iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_config_word() Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 12/16] firmware: coreboot: framebuffer: Ignore reserved pixel color bits Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 13/16] usb: host: xhci: mvebu: Iterate over array indexes instead of using pointer math Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 14/16] USB: ene_usb6250: Allocate enough memory for full object Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 15/16] usb: uvc: Enumerate valid values for color matching Sasha Levin
2023-03-03 21:48 ` [PATCH AUTOSEL 4.19 16/16] phy: rockchip-typec: Fix unsigned comparison with less than zero Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230303214849.1454002-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ionut_n2001@yahoo.com \
--cc=keescook@chromium.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox