Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp1039493lqo;
        Fri, 17 May 2024 08:58:36 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCVetDRl6nbNnxVIUc3L2F/DIzQZbu4t0Be2pTTWVYILnbYO7CPzHHbt98qKnLWnVZDabwT6weHF9jKG72dU09SS4jWHp//Feck/BH7TLQ==
X-Google-Smtp-Source: AGHT+IE88gGix0GaJzOo10VzKgpIw1PtVC3qk+ese956wF3NlszVpRYNIJKRd9uap2OYxxkXUnMx
X-Received: by 2002:a05:6871:5b18:b0:23c:ca14:bdd with SMTP id 586e51a60fabf-24172f672e0mr25416367fac.47.1715961516225;
        Fri, 17 May 2024 08:58:36 -0700 (PDT)
Return-Path: <linux-kernel+bounces-182324-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id d75a77b69052e-43df549d039si187117911cf.104.2024.05.17.08.58.36
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 17 May 2024 08:58:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-182324-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       arc=fail (body hash mismatch);
       spf=pass (google.com: domain of linux-kernel+bounces-182324-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-182324-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id E4D7D1C21197
	for <linux.lists.archive@gmail.com>; Fri, 17 May 2024 15:58:35 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 2D1CC12FF62;
	Fri, 17 May 2024 15:58:18 +0000 (UTC)
Received: from exchange.fintech.ru (exchange.fintech.ru [195.54.195.159])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0C9A112FB12;
	Fri, 17 May 2024 15:58:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.54.195.159
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715961497; cv=none; b=OkV1BBq+OPNx0SNrD8g+elt7C0skt4ocslgBa+JWL1HkUWqT9OzF9TbHoUoNnAxTpS7knWN8+Ak3+b6Or2cMIyrYKSxlAOCxLuofAzYqFqBpsGKZcXXERfhi1mVYRf5f9DGZ1VrJCqOz8DykfZ7GIZ0FRQ896Zu/Q7S4mAzOMVU=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715961497; c=relaxed/simple;
	bh=jPs7IHbfPkYSUHCi80uToaFuP+PivAQ4suilrpSf6d0=;
	h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=Lew5scVLwuXsblXIFM+xjT3Z+czN2I+ILoxbgWrypHWv0WXQh9v++AJDal3AqnVN+fvUrEw7Qz0U1WoN/JEIYbR0/IzU7hCooFg28p4MYyUZ3oA0jS9Sc8C7Zd2x43TdgfLPuX8Vl1O7WEDCAtHM9dMDo5E4k4l7bIY2LnS4fyo=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fintech.ru; spf=pass smtp.mailfrom=fintech.ru; arc=none smtp.client-ip=195.54.195.159
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fintech.ru
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fintech.ru
Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru
 (195.54.195.169) with Microsoft SMTP Server (TLS) id 14.3.498.0; Fri, 17 May
 2024 18:58:10 +0300
Received: from localhost (10.0.253.138) by Ex16-01.fintech.ru (10.0.10.18)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Fri, 17 May
 2024 18:58:10 +0300
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
To: Mauro Carvalho Chehab <mchehab@kernel.org>, Hans Verkuil
	<hverkuil-cisco@xs4all.nl>
CC: Nikita Zhandarovich <n.zhandarovich@fintech.ru>, Luis Chamberlain
	<mcgrof@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	"Patrick Boettcher" <pb@linuxtv.org>, <linux-media@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>,
	<syzbot+c88fc0ebe0d5935c70da@syzkaller.appspotmail.com>
Subject: [PATCH] media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg
Date: Fri, 17 May 2024 08:58:00 -0700
Message-ID: <20240517155800.9881-1-n.zhandarovich@fintech.ru>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru
 (10.0.10.18)

Syzbot reports [1] an uninitialized value issue found by KMSAN in
dib3000_read_reg().

Local u8 rb[2] is used in i2c_transfer() as a read buffer; in case
that call fails, the buffer may end up with some undefined values.

Since no elaborate error handling is expected in dib3000_write_reg(),
simply zero out rb buffer to mitigate the problem.

[1] Syzkaller report
dvb-usb: bulk message failed: -22 (6/0)
=====================================================
BUG: KMSAN: uninit-value in dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758
 dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758
 dibusb_dib3000mb_frontend_attach+0x155/0x2f0 drivers/media/usb/dvb-usb/dibusb-mb.c:31
 dvb_usb_adapter_frontend_init+0xed/0x9a0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290
 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:90 [inline]
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:186 [inline]
 dvb_usb_device_init+0x25a8/0x3760 drivers/media/usb/dvb-usb/dvb-usb-init.c:310
 dibusb_probe+0x46/0x250 drivers/media/usb/dvb-usb/dibusb-mb.c:110
..
Local variable rb created at:
 dib3000_read_reg+0x86/0x4e0 drivers/media/dvb-frontends/dib3000mb.c:54
 dib3000mb_attach+0x123/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758
..

Fixes: 74340b0a8bc6 ("V4L/DVB (4457): Remove dib3000-common-module")
Reported-by: syzbot+c88fc0ebe0d5935c70da@syzkaller.appspotmail.com
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
---
 drivers/media/dvb-frontends/dib3000mb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/dvb-frontends/dib3000mb.c b/drivers/media/dvb-frontends/dib3000mb.c
index c598b2a63325..7c452ddd9e40 100644
--- a/drivers/media/dvb-frontends/dib3000mb.c
+++ b/drivers/media/dvb-frontends/dib3000mb.c
@@ -51,7 +51,7 @@ MODULE_PARM_DESC(debug, "set debugging level (1=info,2=xfer,4=setfe,8=getfe (|-a
 static int dib3000_read_reg(struct dib3000_state *state, u16 reg)
 {
 	u8 wb[] = { ((reg >> 8) | 0x80) & 0xff, reg & 0xff };
-	u8 rb[2];
+	u8 rb[2] = {};
 	struct i2c_msg msg[] = {
 		{ .addr = state->config.demod_address, .flags = 0,        .buf = wb, .len = 2 },
 		{ .addr = state->config.demod_address, .flags = I2C_M_RD, .buf = rb, .len = 2 },