Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2913739pxj; Mon, 14 Jun 2021 09:58:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJysloAL6bAVnbXxZktaNrr9Z5VqrV+50tl8QW/XdjPCEj0hpqS8aPYg3eQ3O3vWhixbaffu X-Received: by 2002:a05:6402:2552:: with SMTP id l18mr18278848edb.166.1623689899090; Mon, 14 Jun 2021 09:58:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623689899; cv=none; d=google.com; s=arc-20160816; b=tgDPhFWtCkd3m4usYZN5gNs4f+0NYFzm+By5u1AWY1zKQCrbESvsYQlVE/vYlUg3UE ePaZw6Jbgx2G/jRO/ggRkGHiIVnslZL++G85ogV11oORMu1jZ5N+dKKT8bIAQW/UnGgi wOvgjSxu5+DY+rrTd6/HrHzMkl7XOrXlg+DsNB/s4sNAohT40mW42tkF4ZbAl/Vx/+Zk oBBIO8PFi1jktDfJalKlJPewPr8EnDGZ9Ob1r+EvfucnUSDS76S2GAgbivPYX90OA73u bJ2rRiPOl6yn8zNshkXlOJoWjh4KPsMtv9ESZJz0tKzf1T0xnc/iF6IdjiA3uEI3FL4T W1bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=X1KDzvQiu9pdgvL6obWC4h1Szc08A8b3V8kk8GIYkAU=; b=RF71tgRegxumS/rPLvLuwRsciqEsoa12hUj7iz3nwcuyehhWWBYt/vElDjI8Hu3EGx py56H3oD68UNbPR5FevtRH40OYRT3+8IFbTfsUAaCHRXmNxr1fFtqSPIARVt3fTKWOZO y2/a8zJpTWWweQeCZJ1+XK5v4KABiFbJ7e/Q1lRHfs3Ss/slS1cFByytYzSmb0WAxDQk xC0PTkY33mU+1DfROCCmPIoVMdCBYweMsUPYuEDphM8Oqme1Sjq8eeGcYvgBGSX3nzL+ G97C0dE5fGPVmKq1/0Su0NM+5W0yBZAaKiOuCiU3GX3qqYcfr2yAZI/m0L+e2WiTle5A DpZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=uXVIWxT0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w8si11905034edc.311.2021.06.14.09.57.56; Mon, 14 Jun 2021 09:58:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=uXVIWxT0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235242AbhFNQ61 (ORCPT + 99 others); Mon, 14 Jun 2021 12:58:27 -0400 Received: from perceval.ideasonboard.com ([213.167.242.64]:37550 "EHLO perceval.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235198AbhFNQ61 (ORCPT ); Mon, 14 Jun 2021 12:58:27 -0400 Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 13E35A59; Mon, 14 Jun 2021 18:56:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1623689783; bh=NKxVcAiJXRYydk66BQhj3l3yAqP0NvgNKvCd+q3k96o=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=uXVIWxT0aQU1nHRv126wh2Uh15t8UeXaZtQzPFs2uDjckx3/P6OJxK6USJXJ3yyjT AxrrrYgHtz8hH4d7MZi/A2N7wuEKPMlG7evGxYHNkGWylNAsPJ/3NYkRxoMmSEP8mW e88piP3bLn/rAQc1prTSSz1NVaMBYTqtKNNq4FLI= Date: Mon, 14 Jun 2021 19:56:03 +0300 From: Laurent Pinchart To: Arnd Bergmann Cc: Hans Verkuil , Mauro Carvalho Chehab , Arnd Bergmann , "Lad, Prabhakar" , Eduardo Valentin , Sakari Ailus , Greg Kroah-Hartman , Vaibhav Gupta , Liu Shixin , Jacopo Mondi , Andy Shevchenko , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linux-staging@lists.linux.dev Subject: Re: [PATCH v3 2/8] media: v4l2-core: explicitly clear ioctl input data Message-ID: References: <20210614103409.3154127-1-arnd@kernel.org> <20210614103409.3154127-3-arnd@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20210614103409.3154127-3-arnd@kernel.org> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Arnd, Thank you for the patch. On Mon, Jun 14, 2021 at 12:34:03PM +0200, Arnd Bergmann wrote: > From: Arnd Bergmann > > As seen from a recent syzbot bug report, mistakes in the compat ioctl > implementation can lead to uninitialized kernel stack data getting used > as input for driver ioctl handlers. > > The reported bug is now fixed, but it's possible that other related > bugs are still present or get added in the future. As the drivers need > to check user input already, the possible impact is fairly low, but it > might still cause an information leak. > > To be on the safe side, always clear the entire ioctl buffer before > calling the conversion handler functions that are meant to initialize > them. > > Signed-off-by: Arnd Bergmann > --- > drivers/media/v4l2-core/v4l2-ioctl.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c > index 58df927aec7e..f19e56116e53 100644 > --- a/drivers/media/v4l2-core/v4l2-ioctl.c > +++ b/drivers/media/v4l2-core/v4l2-ioctl.c > @@ -3124,8 +3124,10 @@ static int video_get_user(void __user *arg, void *parg, > if (copy_from_user(parg, (void __user *)arg, n)) > err = -EFAULT; > } else if (in_compat_syscall()) { > + memset(parg, 0, n); > err = v4l2_compat_get_user(arg, parg, cmd); > } else { > + memset(parg, 0, n); This could possibly be moved with the #if block by making it cover the whole switch, but I don't think this code path will be hit when cmd isn't one of the values handled below, so it shouldn't matter. Reviewed-by: Laurent Pinchart > switch (cmd) { > #if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME) > case VIDIOC_QUERYBUF_TIME32: -- Regards, Laurent Pinchart