From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com,
Rajeshwar R Shinde <coolrrsh@gmail.com>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 23/57] media: gspca: cpia1: shift-out-of-bounds in set_flicker
Date: Fri, 24 Nov 2023 17:50:47 +0000 [thread overview]
Message-ID: <20231124171931.124237637@linuxfoundation.org> (raw)
In-Reply-To: <20231124171930.281665051@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rajeshwar R Shinde <coolrrsh@gmail.com>
[ Upstream commit 099be1822d1f095433f4b08af9cc9d6308ec1953 ]
Syzkaller reported the following issue:
UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27
shift exponent 245 is too large for 32-bit type 'int'
When the value of the variable "sd->params.exposure.gain" exceeds the
number of bits in an integer, a shift-out-of-bounds error is reported. It
is triggered because the variable "currentexp" cannot be left-shifted by
more than the number of bits in an integer. In order to avoid invalid
range during left-shift, the conditional expression is added.
Reported-by: syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/20230818164522.12806-1-coolrrsh@gmail.com
Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73
Signed-off-by: Rajeshwar R Shinde <coolrrsh@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/gspca/cpia1.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c
index e91d00762e94b..bf34479a87cc5 100644
--- a/drivers/media/usb/gspca/cpia1.c
+++ b/drivers/media/usb/gspca/cpia1.c
@@ -28,6 +28,7 @@
#include <linux/input.h>
#include <linux/sched/signal.h>
+#include <linux/bitops.h>
#include "gspca.h"
@@ -1032,6 +1033,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply)
sd->params.exposure.expMode = 2;
sd->exposure_status = EXPOSURE_NORMAL;
}
+ if (sd->params.exposure.gain >= BITS_PER_TYPE(currentexp))
+ return -EINVAL;
currentexp = currentexp << sd->params.exposure.gain;
sd->params.exposure.gain = 0;
/* round down current exposure to nearest value */
--
2.42.0
next prev parent reply other threads:[~2023-11-24 18:02 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-24 17:50 [PATCH 4.14 00/57] 4.14.331-rc1 review Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 01/57] locking/ww_mutex/test: Fix potential workqueue corruption Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 02/57] clocksource/drivers/timer-imx-gpt: Fix potential memory leak Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 03/57] clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 04/57] x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 05/57] wifi: mac80211: dont return unset power in ieee80211_get_tx_power() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 06/57] wifi: ath9k: fix clang-specific fortify warnings Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 07/57] wifi: ath10k: fix clang-specific fortify warning Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 08/57] net: annotate data-races around sk->sk_dst_pending_confirm Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 09/57] drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 10/57] drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 11/57] selftests/efivarfs: create-read: fix a resource leak Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 12/57] crypto: pcrypt - Fix hungtask for PADATA_RESET Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 13/57] RDMA/hfi1: Use FIELD_GET() to extract Link Width Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 14/57] fs/jfs: Add check for negative db_l2nbperpage Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 15/57] fs/jfs: Add validity check for db_maxag and db_agpref Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 16/57] jfs: fix array-index-out-of-bounds in dbFindLeaf Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 17/57] jfs: fix array-index-out-of-bounds in diAlloc Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 18/57] ALSA: hda: Fix possible null-ptr-deref when assigning a stream Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 19/57] atm: iphase: Do PCI error checks on own line Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 20/57] scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 21/57] tty: vcc: Add check for kstrdup() in vcc_probe() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 22/57] i2c: sun6i-p2wi: Prevent potential division by zero Greg Kroah-Hartman
2023-11-24 17:50 ` Greg Kroah-Hartman [this message]
2023-11-24 17:50 ` [PATCH 4.14 24/57] media: vivid: avoid integer overflow Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 25/57] gfs2: ignore negated quota changes Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 26/57] pwm: Fix double shift bug Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 27/57] media: venus: hfi: add checks to perform sanity on queue pointers Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 28/57] randstruct: Fix gcc-plugin performance mode to stay in group Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 29/57] KVM: x86: Ignore MSR_AMD64_TW_CFG access Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 30/57] audit: dont take task_lock() in audit_exe_compare() code path Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 31/57] audit: dont WARN_ON_ONCE(!current->mm) in audit_exe_compare() Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 32/57] hvc/xen: fix error path in xen_hvc_init() to always register frontend driver Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 33/57] PCI/sysfs: Protect drivers D3cold preference from user space Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 34/57] parisc/power: Add power soft-off when running on qemu Greg Kroah-Hartman
2023-11-24 17:50 ` [PATCH 4.14 35/57] mmc: vub300: fix an error code Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 36/57] PM: hibernate: Use __get_safe_page() rather than touching the list Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 37/57] PM: hibernate: Clean up sync_read handling in snapshot_write_next() Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 38/57] mmc: meson-gx: Remove setting of CMD_CFG_ERROR Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 39/57] genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 40/57] jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 41/57] mcb: fix error handling for different scenarios when parsing Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 42/57] s390/cmma: fix initial kernel address space page table walk Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 43/57] s390/cmma: fix handling of swapper_pg_dir and invalid_pg_dir Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 44/57] parisc: Prevent booting 64-bit kernels on PA1.x machines Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 45/57] parisc/pgtable: Do not drop upper 5 address bits of physical address Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 46/57] parisc/power: Fix power soft-off when running on qemu Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 47/57] ALSA: info: Fix potential deadlock at disconnection Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 48/57] net: dsa: lan9303: consequently nested-lock physical MDIO Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 49/57] i2c: i801: fix potential race in i801_block_transaction_byte_by_byte Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 50/57] media: sharp: fix sharp encoding Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 51/57] media: venus: hfi: fix the check to handle session buffer requirement Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 52/57] ext4: apply umask if ACL support is disabled Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 53/57] ext4: correct offset of gdb backup in non meta_bg group to update_backups Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 54/57] ext4: correct return value of ext4_convert_meta_bg Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 55/57] ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 56/57] scsi: virtio_scsi: limit number of hw queues by nr_cpu_ids Greg Kroah-Hartman
2023-11-24 17:51 ` [PATCH 4.14 57/57] net: sched: fix race condition in qdisc_graft() Greg Kroah-Hartman
2023-11-24 20:51 ` [PATCH 4.14 00/57] 4.14.331-rc1 review Daniel Díaz
2023-11-25 15:40 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231124171931.124237637@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=coolrrsh@gmail.com \
--cc=hverkuil-cisco@xs4all.nl \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox