From patchwork Fri Jun 18 10:34:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 12330975 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F68DC48BDF for ; Fri, 18 Jun 2021 10:35:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3060D613D1 for ; Fri, 18 Jun 2021 10:35:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232880AbhFRKhP (ORCPT ); Fri, 18 Jun 2021 06:37:15 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:57209 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232620AbhFRKhN (ORCPT ); Fri, 18 Jun 2021 06:37:13 -0400 Received: from fsav103.sakura.ne.jp (fsav103.sakura.ne.jp [27.133.134.230]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 15IAYJqk033979; Fri, 18 Jun 2021 19:34:19 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav103.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav103.sakura.ne.jp); Fri, 18 Jun 2021 19:34:19 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav103.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 15IAYJgI033976 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 18 Jun 2021 19:34:19 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Subject: [PATCH] media: v4l2-ioctl: explicitly initialize argument buffer To: mchehab@kernel.org, linux-media@vger.kernel.org References: <0000000000005ace4405bda4af71@google.com> Cc: syzbot , arnd@arndb.de, glider@google.com, hverkuil-cisco@xs4all.nl, laurent.pinchart@ideasonboard.com, niklas.soderlund+renesas@ragnatech.se, sakari.ailus@linux.intel.com, sergey.senozhatsky@gmail.com, syzkaller-bugs@googlegroups.com, yepeilin.cs@gmail.com From: Tetsuo Handa Message-ID: <9c393beb-c45b-6dc3-9955-867c6abffdc4@I-love.SAKURA.ne.jp> Date: Fri, 18 Jun 2021 19:34:15 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <0000000000005ace4405bda4af71@google.com> Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org KMSAN complains that ioctl(VIDIOC_QUERYBUF_TIME32) copies uninitialized kernel stack memory to userspace [1], for video_usercopy() calls copy_to_user() even if __video_do_ioctl() returned -EINVAL error. Generally, copy_to_user() needn't be called when there was an error. But video_usercopy() has always_copy logic which forces copy_to_user(). Therefore, instead of not calling copy_to_user(), explicitly initialize argument buffer. ---------- /* Compile for 32bit userspace and run on 64bit kernel. */ #include #include #include #include #define VIDIOC_QUERYBUF_TIME32 0xc0505609 int main(int argc, char *argv[]) { char buf[128] = { }; ioctl(open("/dev/video0", O_RDONLY), VIDIOC_QUERYBUF_TIME32, &buf); return 0; } ---------- Link: https://syzkaller.appspot.com/bug?id=eb945b02a7b3060a8a60dab673c02f3ab20a048b [1] Reported-by: syzbot Signed-off-by: Tetsuo Handa --- drivers/media/v4l2-core/v4l2-ioctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index 2673f51aafa4..ba204e0200d3 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c @@ -3240,7 +3240,7 @@ long video_usercopy(struct file *file, unsigned int orig_cmd, unsigned long arg, v4l2_kioctl func) { - char sbuf[128]; + char sbuf[128] = { }; void *mbuf = NULL, *array_buf = NULL; void *parg = (void *)arg; long err = -EINVAL; @@ -3258,7 +3258,7 @@ video_usercopy(struct file *file, unsigned int orig_cmd, unsigned long arg, parg = sbuf; } else { /* too big to allocate from stack */ - mbuf = kmalloc(ioc_size, GFP_KERNEL); + mbuf = kzalloc(ioc_size, GFP_KERNEL); if (NULL == mbuf) return -ENOMEM; parg = mbuf;