mirror of
https://github.com/brain-hackers/linux-brain.git
synced 2024-06-09 15:26:21 +09:00
media: gspca: zero usb_buf on error
If reg_r() fails, then gspca_dev->usb_buf was left uninitialized, and some drivers used the contents of that buffer in logic. This caused several syzbot errors: https://syzkaller.appspot.com/bug?extid=397fd082ce5143e2f67d https://syzkaller.appspot.com/bug?extid=1a35278dd0ebfb3a038a https://syzkaller.appspot.com/bug?extid=06ddf1788cfd048c5e82 I analyzed the gspca drivers and zeroed the buffer where needed. Reported-and-tested-by: syzbot+1a35278dd0ebfb3a038a@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+397fd082ce5143e2f67d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+06ddf1788cfd048c5e82@syzkaller.appspotmail.com Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
This commit is contained in:
parent
2509d725e0
commit
4843a543fa
|
@ -114,6 +114,11 @@ static void reg_r(struct gspca_dev *gspca_dev, u16 value, u16 index)
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
pr_err("reg_r err %d\n", ret);
|
pr_err("reg_r err %d\n", ret);
|
||||||
gspca_dev->usb_err = ret;
|
gspca_dev->usb_err = ret;
|
||||||
|
/*
|
||||||
|
* Make sure the buffer is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
memset(gspca_dev->usb_buf, 0, 2);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1572,6 +1572,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
pr_err("reg_r err %d\n", ret);
|
pr_err("reg_r err %d\n", ret);
|
||||||
gspca_dev->usb_err = ret;
|
gspca_dev->usb_err = ret;
|
||||||
|
/*
|
||||||
|
* Make sure the buffer is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (len == 1)
|
if (len == 1)
|
||||||
|
|
|
@ -2073,6 +2073,11 @@ static int reg_r(struct sd *sd, u16 index)
|
||||||
} else {
|
} else {
|
||||||
gspca_err(gspca_dev, "reg_r %02x failed %d\n", index, ret);
|
gspca_err(gspca_dev, "reg_r %02x failed %d\n", index, ret);
|
||||||
sd->gspca_dev.usb_err = ret;
|
sd->gspca_dev.usb_err = ret;
|
||||||
|
/*
|
||||||
|
* Make sure the result is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
gspca_dev->usb_buf[0] = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
|
@ -2101,6 +2106,11 @@ static int reg_r8(struct sd *sd,
|
||||||
} else {
|
} else {
|
||||||
gspca_err(gspca_dev, "reg_r8 %02x failed %d\n", index, ret);
|
gspca_err(gspca_dev, "reg_r8 %02x failed %d\n", index, ret);
|
||||||
sd->gspca_dev.usb_err = ret;
|
sd->gspca_dev.usb_err = ret;
|
||||||
|
/*
|
||||||
|
* Make sure the buffer is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
memset(gspca_dev->usb_buf, 0, 8);
|
||||||
}
|
}
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
|
|
|
@ -693,6 +693,11 @@ static u8 ov534_reg_read(struct gspca_dev *gspca_dev, u16 reg)
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
pr_err("read failed %d\n", ret);
|
pr_err("read failed %d\n", ret);
|
||||||
gspca_dev->usb_err = ret;
|
gspca_dev->usb_err = ret;
|
||||||
|
/*
|
||||||
|
* Make sure the result is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
gspca_dev->usb_buf[0] = 0;
|
||||||
}
|
}
|
||||||
return gspca_dev->usb_buf[0];
|
return gspca_dev->usb_buf[0];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1145,6 +1145,7 @@ static u8 reg_r(struct gspca_dev *gspca_dev, u16 reg)
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
pr_err("reg_r err %d\n", ret);
|
pr_err("reg_r err %d\n", ret);
|
||||||
gspca_dev->usb_err = ret;
|
gspca_dev->usb_err = ret;
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
return gspca_dev->usb_buf[0];
|
return gspca_dev->usb_buf[0];
|
||||||
}
|
}
|
||||||
|
|
|
@ -101,6 +101,11 @@ static void se401_read_req(struct gspca_dev *gspca_dev, u16 req, int silent)
|
||||||
pr_err("read req failed req %#04x error %d\n",
|
pr_err("read req failed req %#04x error %d\n",
|
||||||
req, err);
|
req, err);
|
||||||
gspca_dev->usb_err = err;
|
gspca_dev->usb_err = err;
|
||||||
|
/*
|
||||||
|
* Make sure the buffer is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
memset(gspca_dev->usb_buf, 0, READ_REQ_SIZE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -909,6 +909,11 @@ static void reg_r(struct gspca_dev *gspca_dev, u16 reg, u16 length)
|
||||||
if (unlikely(result < 0 || result != length)) {
|
if (unlikely(result < 0 || result != length)) {
|
||||||
pr_err("Read register %02x failed %d\n", reg, result);
|
pr_err("Read register %02x failed %d\n", reg, result);
|
||||||
gspca_dev->usb_err = result;
|
gspca_dev->usb_err = result;
|
||||||
|
/*
|
||||||
|
* Make sure the buffer is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -453,6 +453,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
|
||||||
dev_err(gspca_dev->v4l2_dev.dev,
|
dev_err(gspca_dev->v4l2_dev.dev,
|
||||||
"Error reading register %02x: %d\n", value, res);
|
"Error reading register %02x: %d\n", value, res);
|
||||||
gspca_dev->usb_err = res;
|
gspca_dev->usb_err = res;
|
||||||
|
/*
|
||||||
|
* Make sure the result is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
gspca_dev->usb_buf[0] = 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1162,6 +1162,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
pr_err("reg_r err %d\n", ret);
|
pr_err("reg_r err %d\n", ret);
|
||||||
gspca_dev->usb_err = ret;
|
gspca_dev->usb_err = ret;
|
||||||
|
/*
|
||||||
|
* Make sure the buffer is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -71,6 +71,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
pr_err("reg_r err %d\n", ret);
|
pr_err("reg_r err %d\n", ret);
|
||||||
gspca_dev->usb_err = ret;
|
gspca_dev->usb_err = ret;
|
||||||
|
/*
|
||||||
|
* Make sure the buffer is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -425,6 +425,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
pr_err("reg_r %04x failed %d\n", value, ret);
|
pr_err("reg_r %04x failed %d\n", value, ret);
|
||||||
gspca_dev->usb_err = ret;
|
gspca_dev->usb_err = ret;
|
||||||
|
/*
|
||||||
|
* Make sure the buffer is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -255,6 +255,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
pr_err("reg_r err %d\n", ret);
|
pr_err("reg_r err %d\n", ret);
|
||||||
gspca_dev->usb_err = ret;
|
gspca_dev->usb_err = ret;
|
||||||
|
/*
|
||||||
|
* Make sure the buffer is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -2906,6 +2906,11 @@ static void reg_r_i(struct gspca_dev *gspca_dev,
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
pr_err("reg_r err %d\n", ret);
|
pr_err("reg_r err %d\n", ret);
|
||||||
gspca_dev->usb_err = ret;
|
gspca_dev->usb_err = ret;
|
||||||
|
/*
|
||||||
|
* Make sure the buffer is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
static void reg_r(struct gspca_dev *gspca_dev,
|
static void reg_r(struct gspca_dev *gspca_dev,
|
||||||
|
|
|
@ -133,6 +133,11 @@ static int w9968cf_read_sb(struct sd *sd)
|
||||||
} else {
|
} else {
|
||||||
pr_err("Read SB reg [01] failed\n");
|
pr_err("Read SB reg [01] failed\n");
|
||||||
sd->gspca_dev.usb_err = ret;
|
sd->gspca_dev.usb_err = ret;
|
||||||
|
/*
|
||||||
|
* Make sure the buffer is zeroed to avoid uninitialized
|
||||||
|
* values.
|
||||||
|
*/
|
||||||
|
memset(sd->gspca_dev.usb_buf, 0, 2);
|
||||||
}
|
}
|
||||||
|
|
||||||
udelay(W9968CF_I2C_BUS_DELAY);
|
udelay(W9968CF_I2C_BUS_DELAY);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user