Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp3983239ybp; Sun, 13 Oct 2019 19:10:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqz0JB9TvVZpnhtC+pH/uS3y+3llhXmUdffo57wDounNSgeIZ55KBQbgvvclhEghpzIcuSpl X-Received: by 2002:a17:906:2ccc:: with SMTP id r12mr24982319ejr.249.1571019022438; Sun, 13 Oct 2019 19:10:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571019022; cv=none; d=google.com; s=arc-20160816; b=Y4tBEi7/B7ga8oG4PZihtgGb3cF4v0ZkawRYzBaJMFhN5nNX7vVpHLYJy5U3dHaoQe Mle+T0dl7n+CY8eO1gLI5kJRQtYdTU+gKdU2GVVY5EtUPJs0qFPV13G74hvk1UW+Urie 0vTJk3PnIvEqBUaqVQV+kPXx/6fY1iSk6PnhN3j7UEI5BrAr09WC6gAe+kNBIsa1P65W jtXKLv7v7w+x70InG3l5r3DsHCQH/TpodKt77snyV/pRqNDDqIdkDYGK5SLgD+F34shD T8TFmcrbWbuxyyd1R/iePwLgjGHOAtzOzNqhdVciLmAsnal9y8pHT76nkIOEzqkB5YsZ ck3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date; bh=6vf3WIZs/EJxe0jM2HQjhaopTRkjvnbcK80jQ+Lx1tA=; b=bN1V6fi1EnfXc9wyeq/Ggm3gXtJobhlK5OLRsBD0pnL5adaOBVBhEvUTICChqSg98r m6fpMwie80dvdW0hLQ1pUglWLmtyN0CSeg864K6UYKMNYgObVg0lI+chPG0Hdxfbrhp7 fiQsyO0EGkORsaeMllsawplvHc4sehw5enFphorTRhr22ffn9HR6LbIJ0aO4J2JvFRPL R3n4TH4nzaGc4NkPIknmy+NcaVJOlMnWhMlHl+Xn5yxCTiLCOPIdUT6ublM6gL1d820t CMyNoRqcKNMFJgzlC28ddE5dV3TgiMlHIpdkm63BjrnjeNZ2wI4cET3UO4tUobGfJKWu mxng== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h26si11825973edb.141.2019.10.13.19.09.59; Sun, 13 Oct 2019 19:10:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729678AbfJNCIq (ORCPT + 99 others); Sun, 13 Oct 2019 22:08:46 -0400 Received: from shells.gnugeneration.com ([66.240.222.126]:48138 "EHLO shells.gnugeneration.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729494AbfJNCIp (ORCPT ); Sun, 13 Oct 2019 22:08:45 -0400 Received: by shells.gnugeneration.com (Postfix, from userid 1000) id 991AA1A40559; Sun, 13 Oct 2019 19:08:45 -0700 (PDT) Date: Sun, 13 Oct 2019 19:08:45 -0700 From: Vito Caputo To: mkrufky@linuxtv.org Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] media: cxusb: detect cxusb_ctrl_msg error in query Message-ID: <20191014020845.247utwi3pjbvb6il@shells.gnugeneration.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Don't use uninitialized ircode[] in cxusb_rc_query() when cxusb_ctrl_msg() fails to populate its contents. syzbot reported: dvb-usb: bulk message failed: -22 (1/-30591) ===================================================== BUG: KMSAN: uninit-value in ir_lookup_by_scancode drivers/media/rc/rc-main.c:494 [inline] BUG: KMSAN: uninit-value in rc_g_keycode_from_table drivers/media/rc/rc-main.c:582 [inline] BUG: KMSAN: uninit-value in rc_keydown+0x1a6/0x6f0 drivers/media/rc/rc-main.c:816 CPU: 1 PID: 11436 Comm: kworker/1:2 Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events dvb_usb_read_remote_control Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 bsearch+0x1dd/0x250 lib/bsearch.c:41 ir_lookup_by_scancode drivers/media/rc/rc-main.c:494 [inline] rc_g_keycode_from_table drivers/media/rc/rc-main.c:582 [inline] rc_keydown+0x1a6/0x6f0 drivers/media/rc/rc-main.c:816 cxusb_rc_query+0x2e1/0x360 drivers/media/usb/dvb-usb/cxusb.c:548 dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261 process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269 worker_thread+0x111b/0x2460 kernel/workqueue.c:2415 kthread+0x4b5/0x4f0 kernel/kthread.c:256 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:150 [inline] kmsan_internal_chain_origin+0xd2/0x170 mm/kmsan/kmsan.c:314 __msan_chain_origin+0x6b/0xe0 mm/kmsan/kmsan_instr.c:184 rc_g_keycode_from_table drivers/media/rc/rc-main.c:583 [inline] rc_keydown+0x2c4/0x6f0 drivers/media/rc/rc-main.c:816 cxusb_rc_query+0x2e1/0x360 drivers/media/usb/dvb-usb/cxusb.c:548 dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261 process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269 worker_thread+0x111b/0x2460 kernel/workqueue.c:2415 kthread+0x4b5/0x4f0 kernel/kthread.c:256 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 Local variable description: ----ircode@cxusb_rc_query Variable was created at: cxusb_rc_query+0x4d/0x360 drivers/media/usb/dvb-usb/cxusb.c:543 dvb_usb_read_remote_control+0xf9/0x290 drivers/media/usb/dvb-usb/dvb-usb-remote.c:261 Signed-off-by: Vito Caputo Reported-by: syzbot --- drivers/media/usb/dvb-usb/cxusb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c index f02fa0a67aa4..fac19ec46089 100644 --- a/drivers/media/usb/dvb-usb/cxusb.c +++ b/drivers/media/usb/dvb-usb/cxusb.c @@ -521,7 +521,8 @@ static int cxusb_rc_query(struct dvb_usb_device *d) { u8 ircode[4]; - cxusb_ctrl_msg(d, CMD_GET_IR_CODE, NULL, 0, ircode, 4); + if (cxusb_ctrl_msg(d, CMD_GET_IR_CODE, NULL, 0, ircode, 4) < 0) + return 0; if (ircode[2] || ircode[3]) rc_keydown(d->rc_dev, RC_PROTO_NEC, -- 2.11.0