]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commitdiff
media: gspca: zero usb_buf on error
authorHans Verkuil <hverkuil-cisco@xs4all.nl>
Fri, 16 Aug 2019 06:38:13 +0000 (03:38 -0300)
committerKhalid Elmously <khalid.elmously@canonical.com>
Fri, 18 Oct 2019 08:25:50 +0000 (04:25 -0400)
BugLink: https://bugs.launchpad.net/bugs/1848046
[ Upstream commit 4843a543fad3bf8221cf14e5d5f32d15cee89e84 ]

If reg_r() fails, then gspca_dev->usb_buf was left uninitialized,
and some drivers used the contents of that buffer in logic.

This caused several syzbot errors:

https://syzkaller.appspot.com/bug?extid=397fd082ce5143e2f67d
https://syzkaller.appspot.com/bug?extid=1a35278dd0ebfb3a038a
https://syzkaller.appspot.com/bug?extid=06ddf1788cfd048c5e82

I analyzed the gspca drivers and zeroed the buffer where needed.

Reported-and-tested-by: syzbot+1a35278dd0ebfb3a038a@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+397fd082ce5143e2f67d@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+06ddf1788cfd048c5e82@syzkaller.appspotmail.com
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
14 files changed:
drivers/media/usb/gspca/konica.c
drivers/media/usb/gspca/nw80x.c
drivers/media/usb/gspca/ov519.c
drivers/media/usb/gspca/ov534.c
drivers/media/usb/gspca/ov534_9.c
drivers/media/usb/gspca/se401.c
drivers/media/usb/gspca/sn9c20x.c
drivers/media/usb/gspca/sonixb.c
drivers/media/usb/gspca/sonixj.c
drivers/media/usb/gspca/spca1528.c
drivers/media/usb/gspca/sq930x.c
drivers/media/usb/gspca/sunplus.c
drivers/media/usb/gspca/vc032x.c
drivers/media/usb/gspca/w996Xcf.c

index d8e40137a2043cb0bec58b7096aaf06ea3daa86a..53db9a2895ea5841340a9100193c5869a4341ce3 100644 (file)
@@ -114,6 +114,11 @@ static void reg_r(struct gspca_dev *gspca_dev, u16 value, u16 index)
        if (ret < 0) {
                pr_err("reg_r err %d\n", ret);
                gspca_dev->usb_err = ret;
+               /*
+                * Make sure the buffer is zeroed to avoid uninitialized
+                * values.
+                */
+               memset(gspca_dev->usb_buf, 0, 2);
        }
 }
 
index 59649704beba10f7d3ef68049999543a326c4df9..880f569bda30f2aac3f64f8e45e66d69b0384864 100644 (file)
@@ -1572,6 +1572,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
        if (ret < 0) {
                pr_err("reg_r err %d\n", ret);
                gspca_dev->usb_err = ret;
+               /*
+                * Make sure the buffer is zeroed to avoid uninitialized
+                * values.
+                */
+               memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
                return;
        }
        if (len == 1)
index cfb1f53bc17e72baa9f71c59d9fee47695affa2c..f417dfc0b87290539732dc73bbe8de7309e37d43 100644 (file)
@@ -2073,6 +2073,11 @@ static int reg_r(struct sd *sd, u16 index)
        } else {
                gspca_err(gspca_dev, "reg_r %02x failed %d\n", index, ret);
                sd->gspca_dev.usb_err = ret;
+               /*
+                * Make sure the result is zeroed to avoid uninitialized
+                * values.
+                */
+               gspca_dev->usb_buf[0] = 0;
        }
 
        return ret;
@@ -2101,6 +2106,11 @@ static int reg_r8(struct sd *sd,
        } else {
                gspca_err(gspca_dev, "reg_r8 %02x failed %d\n", index, ret);
                sd->gspca_dev.usb_err = ret;
+               /*
+                * Make sure the buffer is zeroed to avoid uninitialized
+                * values.
+                */
+               memset(gspca_dev->usb_buf, 0, 8);
        }
 
        return ret;
index 56521c991db451a66a42dcea2c488d4d34e03162..185c1f10fb30be059727af39d44cbcd16b5adbc5 100644 (file)
@@ -693,6 +693,11 @@ static u8 ov534_reg_read(struct gspca_dev *gspca_dev, u16 reg)
        if (ret < 0) {
                pr_err("read failed %d\n", ret);
                gspca_dev->usb_err = ret;
+               /*
+                * Make sure the result is zeroed to avoid uninitialized
+                * values.
+                */
+               gspca_dev->usb_buf[0] = 0;
        }
        return gspca_dev->usb_buf[0];
 }
index 867f860a965009e80635d6f0250dad2f4bdca120..91efc650cf769038cda4395a04250a4960e25a85 100644 (file)
@@ -1145,6 +1145,7 @@ static u8 reg_r(struct gspca_dev *gspca_dev, u16 reg)
        if (ret < 0) {
                pr_err("reg_r err %d\n", ret);
                gspca_dev->usb_err = ret;
+               return 0;
        }
        return gspca_dev->usb_buf[0];
 }
index 061deee138c31826a99092937c89da855643ba72..e087cfb5980b0e4bdb2217acf45637e451d0b47b 100644 (file)
@@ -101,6 +101,11 @@ static void se401_read_req(struct gspca_dev *gspca_dev, u16 req, int silent)
                        pr_err("read req failed req %#04x error %d\n",
                               req, err);
                gspca_dev->usb_err = err;
+               /*
+                * Make sure the buffer is zeroed to avoid uninitialized
+                * values.
+                */
+               memset(gspca_dev->usb_buf, 0, READ_REQ_SIZE);
        }
 }
 
index b43f89fee6c1d3beba6f33c9ea4e8072e23b5b5a..12a2395a36ac67097413b70ee4d9c5721c978848 100644 (file)
@@ -909,6 +909,11 @@ static void reg_r(struct gspca_dev *gspca_dev, u16 reg, u16 length)
        if (unlikely(result < 0 || result != length)) {
                pr_err("Read register %02x failed %d\n", reg, result);
                gspca_dev->usb_err = result;
+               /*
+                * Make sure the buffer is zeroed to avoid uninitialized
+                * values.
+                */
+               memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
        }
 }
 
index 046fc2c2a13502f375c630df30fe53dc90e3de23..4d655e2da9cba50f4e4078b861f8a958b2b2cb8d 100644 (file)
@@ -453,6 +453,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
                dev_err(gspca_dev->v4l2_dev.dev,
                        "Error reading register %02x: %d\n", value, res);
                gspca_dev->usb_err = res;
+               /*
+                * Make sure the result is zeroed to avoid uninitialized
+                * values.
+                */
+               gspca_dev->usb_buf[0] = 0;
        }
 }
 
index 50a6c8425827f89ee8c73b193ce57c4eeeda8fb4..2e1bd2df8304a12980ebc169fd38b5122d906535 100644 (file)
@@ -1162,6 +1162,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
        if (ret < 0) {
                pr_err("reg_r err %d\n", ret);
                gspca_dev->usb_err = ret;
+               /*
+                * Make sure the buffer is zeroed to avoid uninitialized
+                * values.
+                */
+               memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
        }
 }
 
index 2ae03b60163ff0cefef5eb856a1eba5f6cb92dc9..ccc477944ef829fe94ec618ef6dbcd07fab58ed0 100644 (file)
@@ -71,6 +71,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
        if (ret < 0) {
                pr_err("reg_r err %d\n", ret);
                gspca_dev->usb_err = ret;
+               /*
+                * Make sure the buffer is zeroed to avoid uninitialized
+                * values.
+                */
+               memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
        }
 }
 
index d1ba0888d7989697a9e4c4b374863b7efebb8227..c3610247a90e0939a94280c7744d0ea48bfa9ded 100644 (file)
@@ -425,6 +425,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
        if (ret < 0) {
                pr_err("reg_r %04x failed %d\n", value, ret);
                gspca_dev->usb_err = ret;
+               /*
+                * Make sure the buffer is zeroed to avoid uninitialized
+                * values.
+                */
+               memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
        }
 }
 
index d0ddfa957ca9f970e04e0c47d18f2e89f3280299..f4a4222f0d2e4f9fcc0ef26b6ea07f0b0106d616 100644 (file)
@@ -255,6 +255,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
        if (ret < 0) {
                pr_err("reg_r err %d\n", ret);
                gspca_dev->usb_err = ret;
+               /*
+                * Make sure the buffer is zeroed to avoid uninitialized
+                * values.
+                */
+               memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
        }
 }
 
index 588a847ea483450864268041bb67a1f50126abdf..4cb7c92ea1328efde8a5bf3eba55c0d7bc0ae099 100644 (file)
@@ -2906,6 +2906,11 @@ static void reg_r_i(struct gspca_dev *gspca_dev,
        if (ret < 0) {
                pr_err("reg_r err %d\n", ret);
                gspca_dev->usb_err = ret;
+               /*
+                * Make sure the buffer is zeroed to avoid uninitialized
+                * values.
+                */
+               memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
        }
 }
 static void reg_r(struct gspca_dev *gspca_dev,
index 16b679c2de21f1059cb73ada763528d82ea9505c..a8350ee9712fb18af58b05415833a3bad7f8375d 100644 (file)
@@ -133,6 +133,11 @@ static int w9968cf_read_sb(struct sd *sd)
        } else {
                pr_err("Read SB reg [01] failed\n");
                sd->gspca_dev.usb_err = ret;
+               /*
+                * Make sure the buffer is zeroed to avoid uninitialized
+                * values.
+                */
+               memset(sd->gspca_dev.usb_buf, 0, 2);
        }
 
        udelay(W9968CF_I2C_BUS_DELAY);