Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp600049pxb; Tue, 5 Apr 2022 15:30:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzJcoQCLyvx6+MMGco2Ok9egMDJinwgJBORMpznznOtVaUgzKnedXGpoxhhWymPGJ8txA+y X-Received: by 2002:a17:90b:1e4e:b0:1c7:3507:30db with SMTP id pi14-20020a17090b1e4e00b001c7350730dbmr6457873pjb.39.1649197842334; Tue, 05 Apr 2022 15:30:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649197842; cv=none; d=google.com; s=arc-20160816; b=VG6916DInSESSqSDnERGWUGftahr/fA4K49H7O3JaiIB/kwbjPS5fXPT4b0lzxk4Gh vq72yIiJXhL/39ZVU0thEEWe7Y+fCpqoPKDzXzafZnQRuzOQB0Mp1RGKhtAZJmC/WtlC mmAcEFwVqln2MVLqK/LZaYHnqdQX7hcksc6Ccz+X2sTVZqnVBTGDOGCbZe2qAa9WungV PcQ3IE1u9iUb6Ypwrr3d7S9l1yUncZUiKx5e2cSCapPrCzNKHo3jYkdRZp3S1O6XWHFo 573H7LTyRXdGZa8qTHi+5J1XIcyI2z9YXrXWAbCcfwAG4KEhpSAs1YvX9ShixMoy1HjQ 8eUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8fRqRm2dSgq+GF/NEXad4KGX/e3mg3i9Cy42xtXnnvk=; b=zKncF5o4NVccVa2je/Le0nprz9FmrAYLOJ20UXIlJnaS+deGaFQszVY+ueIT0Ov9qW DK1hKTpEh6kMLkYUJKjxXtzW2I8RdCKkSuP5XBkR3IQ1AxuOt8/XyEBZ5brTiwb5xjnf lW0OluwM3NRqkN6kwFBveB8FRhRPRsubd0c/oBHBxPbte6xcMB9aF4y4u5xXmmGwrl9T 7z1HG+EhuyVrQhdztn77nvKyAutDU0HEL/dOzjuseJWwX/1IsLBszWyKnsN89WPSdCCA 5In0mBMqX5TjWDZxnfhAWe6HEuB3+mUeCI5KhbYHZaCF0qJiPCHri9RELIVsmjhYDhi6 mT+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="yJ2lVbg/"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id e16-20020a056a001a9000b004fa3a8dffb5si14024738pfv.108.2022.04.05.15.30.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 15:30:42 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="yJ2lVbg/"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 34AE7205BED; Tue, 5 Apr 2022 15:12:39 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377827AbiDELap (ORCPT + 99 others); Tue, 5 Apr 2022 07:30:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243770AbiDEIvB (ORCPT ); Tue, 5 Apr 2022 04:51:01 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20678BD7D5; Tue, 5 Apr 2022 01:39:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2ADD961509; Tue, 5 Apr 2022 08:38:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3A95AC385A0; Tue, 5 Apr 2022 08:38:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649147930; bh=yYKeKn+Ed/LkVtvm0fukD9Z7cSasuVdQaF41PeMuKEI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yJ2lVbg/i90ohOb+im20fML0x6mBTZr5jpMgWkyaAnC3/UCLJLQyqhYJNS7qz7gem YHPvpgZIAPWE2uZF2a9vsMrdIOVe0EKUMbEu9Nt9Fp0KJT8tzfS67F8DMItAN2D20X ZiAOfZq/n+S+DfBxxgmUu31SYcW2wzFBI5VPlaRY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Arnd Bergmann , "Gustavo A. R. Silva" , Kees Cook , Laurent Pinchart , Sakari Ailus , Mauro Carvalho Chehab Subject: [PATCH 5.16 0173/1017] media: omap3isp: Use struct_group() for memcpy() region Date: Tue, 5 Apr 2022 09:18:06 +0200 Message-Id: <20220405070359.364257842@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070354.155796697@linuxfoundation.org> References: <20220405070354.155796697@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook commit d4568fc8525897e683983806f813be1ae9eedaed upstream. In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Wrap the target region in struct_group(). This additionally fixes a theoretical misalignment of the copy (since the size of "buf" changes between 64-bit and 32-bit, but this is likely never built for 64-bit). FWIW, I think this code is totally broken on 64-bit (which appears to not be a "real" build configuration): it would either always fail (with an uninitialized data->buf_size) or would cause corruption in userspace due to the copy_to_user() in the call path against an uninitialized data->buf value: omap3isp_stat_request_statistics_time32(...) struct omap3isp_stat_data data64; ... omap3isp_stat_request_statistics(stat, &data64); int omap3isp_stat_request_statistics(struct ispstat *stat, struct omap3isp_stat_data *data) ... buf = isp_stat_buf_get(stat, data); static struct ispstat_buffer *isp_stat_buf_get(struct ispstat *stat, struct omap3isp_stat_data *data) ... if (buf->buf_size > data->buf_size) { ... return ERR_PTR(-EINVAL); } ... rval = copy_to_user(data->buf, buf->virt_addr, buf->buf_size); Regardless, additionally initialize data64 to be zero-filled to avoid undefined behavior. Link: https://lore.kernel.org/lkml/20211215220505.GB21862@embeddedor Cc: Arnd Bergmann Fixes: 378e3f81cb56 ("media: omap3isp: support 64-bit version of omap3isp_stat_data") Cc: stable@vger.kernel.org Reviewed-by: Gustavo A. R. Silva Signed-off-by: Kees Cook Reviewed-by: Laurent Pinchart Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/platform/omap3isp/ispstat.c | 5 +++-- include/uapi/linux/omap3isp.h | 21 +++++++++++++-------- 2 files changed, 16 insertions(+), 10 deletions(-) --- a/drivers/media/platform/omap3isp/ispstat.c +++ b/drivers/media/platform/omap3isp/ispstat.c @@ -512,7 +512,7 @@ int omap3isp_stat_request_statistics(str int omap3isp_stat_request_statistics_time32(struct ispstat *stat, struct omap3isp_stat_data_time32 *data) { - struct omap3isp_stat_data data64; + struct omap3isp_stat_data data64 = { }; int ret; ret = omap3isp_stat_request_statistics(stat, &data64); @@ -521,7 +521,8 @@ int omap3isp_stat_request_statistics_tim data->ts.tv_sec = data64.ts.tv_sec; data->ts.tv_usec = data64.ts.tv_usec; - memcpy(&data->buf, &data64.buf, sizeof(*data) - sizeof(data->ts)); + data->buf = (uintptr_t)data64.buf; + memcpy(&data->frame, &data64.frame, sizeof(data->frame)); return 0; } --- a/include/uapi/linux/omap3isp.h +++ b/include/uapi/linux/omap3isp.h @@ -162,6 +162,7 @@ struct omap3isp_h3a_aewb_config { * struct omap3isp_stat_data - Statistic data sent to or received from user * @ts: Timestamp of returned framestats. * @buf: Pointer to pass to user. + * @buf_size: Size of buffer. * @frame_number: Frame number of requested stats. * @cur_frame: Current frame number being processed. * @config_counter: Number of the configuration associated with the data. @@ -176,10 +177,12 @@ struct omap3isp_stat_data { struct timeval ts; #endif void __user *buf; - __u32 buf_size; - __u16 frame_number; - __u16 cur_frame; - __u16 config_counter; + __struct_group(/* no tag */, frame, /* no attrs */, + __u32 buf_size; + __u16 frame_number; + __u16 cur_frame; + __u16 config_counter; + ); }; #ifdef __KERNEL__ @@ -189,10 +192,12 @@ struct omap3isp_stat_data_time32 { __s32 tv_usec; } ts; __u32 buf; - __u32 buf_size; - __u16 frame_number; - __u16 cur_frame; - __u16 config_counter; + __struct_group(/* no tag */, frame, /* no attrs */, + __u32 buf_size; + __u16 frame_number; + __u16 cur_frame; + __u16 config_counter; + ); }; #endif