Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1973729pxb;
        Fri, 5 Mar 2021 04:31:30 -0800 (PST)
X-Google-Smtp-Source: ABdhPJy87Z/70doR3EOn4RmD2u/7sfKmR9RZJ/Vs4M1XNDtBjYd4tnaO+uQSQokw+SBDOqPf5XgU
X-Received: by 2002:a17:906:22d4:: with SMTP id q20mr2111713eja.54.1614947490541;
        Fri, 05 Mar 2021 04:31:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1614947490; cv=none;
        d=google.com; s=arc-20160816;
        b=SY9N4RlCba9aLQ3n6wCigzl3BZ/xwYDllkKEQ2EnH5N35KDpSIcwerpnWKuTFjMIBW
         2ykI33xasSULvaZaymZTLANrd3F4Sq5wZ98b71udMu/qx9f1NIUH/SXdi0q2RsZyW3je
         z9lfitk6vGrDsdz6RVPHuoAJtnS5ZJZIXPgIVGYEo3F7dEVW247snuIsWU1NcPgu9GOi
         BJrNpcXbw/oSXkD6Qv58OS5gKEWBA4RQhpcNcpW3Vxe/i8/+guy9+so9Lyag08nqRyCl
         Bbad5C0iBEZSa+8TVpOMQ0HQAhhf81yMi0dUBof0Jde5BXV2d8X1UISy8gYTq1GV3ejd
         V2rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=RPwgY2gayyWOZ1pR95Tga7xzXFgokNtBGVaBoEjP1b4=;
        b=mZkYh7mP355D1q5zg0EgdYyClJtiH+WuF5r6m+khVgqS47RNXK0s/+MJD7+uM4wCXP
         UOToBB6G52DCakHrSiOE5i0ZbVMwkXrmLwdQceA4pYtaMA3bjbdqlyROFEsMz1FBlT76
         j1M5hqU/3FoKZzM07k/XABNxdatNREbJXuq+vcMgzLJPoyGUdu1MXQ3uWfmex2PeHpXz
         HG1JEHi845mQtFddlKU0P/t0V60Gsl0mZUj5mrDFWXz9YcL1DLatFVrl2rG6hy7HZ7i7
         D5wyuXLCRnAx/l0gMx6+rww0IWBtvVDdRB6YeuX9a2lk8g+ZLpNlUQGFipW7p9Na1npy
         ltWQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=DwKvqdy2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id f1si1467174edu.216.2021.03.05.04.31.07;
        Fri, 05 Mar 2021 04:31:30 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=DwKvqdy2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232195AbhCEM26 (ORCPT <rfc822;lvda1993@gmail.com> + 99 others);
        Fri, 5 Mar 2021 07:28:58 -0500
Received: from mail.kernel.org ([198.145.29.99]:36878 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S230143AbhCEM20 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 5 Mar 2021 07:28:26 -0500
Received: by mail.kernel.org (Postfix) with ESMTPSA id D227065029;
        Fri,  5 Mar 2021 12:28:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1614947306;
        bh=PyZUVxdJ9OYmIeHDw0sW9AkAYTeYyK7o3KG7+6dJtsc=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=DwKvqdy2qcrLwteMmRBEE7PjvHZP3GL865SJKUm8TN+aOVl+B1M8xQXMVg29K+hQV
         BJpb6XKY7JeizMWy9ogiVO0WQG7Xdhoex7KzTqX21G4Zj1v5Q2T2Aqy4ZjGRo+VCNF
         1kY9Ofp1++8UMRW5jwvJ33RQqnVxuxPhttx4rD9c=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Hans Verkuil <hverkuil-cisco@xs4all.nl>,
        syzbot+42d8c7c3d3e594b34346@syzkaller.appspotmail.com,
        Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Subject: [PATCH 5.10 011/102] media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate
Date:   Fri,  5 Mar 2021 13:20:30 +0100
Message-Id: <20210305120903.825852251@linuxfoundation.org>
X-Mailer: git-send-email 2.30.1
In-Reply-To: <20210305120903.276489876@linuxfoundation.org>
References: <20210305120903.276489876@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

commit 048c96e28674f15c0403deba2104ffba64544a06 upstream.

If a menu has more than 64 items, then don't check menu_skip_mask
for items 65 and up.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: syzbot+42d8c7c3d3e594b34346@syzkaller.appspotmail.com
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/v4l2-core/v4l2-ctrls.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/v4l2-ctrls.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls.c
@@ -1987,7 +1987,8 @@ static int std_validate(const struct v4l
 	case V4L2_CTRL_TYPE_INTEGER_MENU:
 		if (ptr.p_s32[idx] < ctrl->minimum || ptr.p_s32[idx] > ctrl->maximum)
 			return -ERANGE;
-		if (ctrl->menu_skip_mask & (1ULL << ptr.p_s32[idx]))
+		if (ptr.p_s32[idx] < BITS_PER_LONG_LONG &&
+		    (ctrl->menu_skip_mask & BIT_ULL(ptr.p_s32[idx])))
 			return -EINVAL;
 		if (ctrl->type == V4L2_CTRL_TYPE_MENU &&
 		    ctrl->qmenu[ptr.p_s32[idx]][0] == '\0')