| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Jun 2021 23:43:00 +0200
From: Arnd Bergmann <arnd@...nel.org>
To: Hans Verkuil <hverkuil-cisco@...all.nl>,
Mauro Carvalho Chehab <mchehab@...nel.org>
Cc: Arnd Bergmann <arnd@...db.de>,
"Lad, Prabhakar" <prabhakar.csengg@...il.com>,
Eduardo Valentin <edubezval@...il.com>,
Sakari Ailus <sakari.ailus@...ux.intel.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Vaibhav Gupta <vaibhavgupta40@...il.com>,
Liu Shixin <liushixin2@...wei.com>,
Laurent Pinchart <laurent.pinchart@...asonboard.com>,
Jacopo Mondi <jacopo+renesas@...ndi.org>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
linux-staging@...ts.linux.dev
Subject: [PATCH v2 2/7] media: v4l2-core: explicitly clear ioctl input data
From: Arnd Bergmann <arnd@...db.de>
As seen from a recent syzbot bug report, mistakes in the compat ioctl
implementation can lead to uninitialized kernel stack data getting used
as input for driver ioctl handlers.
The reported bug is now fixed, but it's possible that other related
bugs are still present or get added in the future. As the drivers need
to check user input already, the possible impact is fairly low, but it
might still cause an information leak.
To be on the safe side, always clear the entire ioctl buffer before
calling the conversion handler functions that are meant to initialize
them.
Signed-off-by: Arnd Bergmann <arnd@...db.de>
---
drivers/media/v4l2-core/v4l2-ioctl.c | 51 ++++++++++++++++------------
1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
index 58df927aec7e..bf5eb07296a5 100644
--- a/drivers/media/v4l2-core/v4l2-ioctl.c
+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
@@ -3122,12 +3122,23 @@ static int video_get_user(void __user *arg, void *parg,
if (cmd == real_cmd) {
if (copy_from_user(parg, (void __user *)arg, n))
- err = -EFAULT;
- } else if (in_compat_syscall()) {
- err = v4l2_compat_get_user(arg, parg, cmd);
- } else {
- switch (cmd) {
+ return -EFAULT;
+
+ /* zero out anything we don't copy from userspace */
+ if (n < _IOC_SIZE(real_cmd))
+ memset((u8 *)parg + n, 0, _IOC_SIZE(real_cmd) - n);
+
+ return 0;
+ }
+
+ /* zero out whole buffer first to deal with missing emulation */
+ memset(parg, 0, _IOC_SIZE(real_cmd));
+
+ if (in_compat_syscall())
+ return v4l2_compat_get_user(arg, parg, cmd);
+
#if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME)
+ switch (cmd) {
case VIDIOC_QUERYBUF_TIME32:
case VIDIOC_QBUF_TIME32:
case VIDIOC_DQBUF_TIME32:
@@ -3140,28 +3151,24 @@ static int video_get_user(void __user *arg, void *parg,
*vb = (struct v4l2_buffer) {
.index = vb32.index,
- .type = vb32.type,
- .bytesused = vb32.bytesused,
- .flags = vb32.flags,
- .field = vb32.field,
- .timestamp.tv_sec = vb32.timestamp.tv_sec,
- .timestamp.tv_usec = vb32.timestamp.tv_usec,
- .timecode = vb32.timecode,
- .sequence = vb32.sequence,
- .memory = vb32.memory,
- .m.userptr = vb32.m.userptr,
- .length = vb32.length,
- .request_fd = vb32.request_fd,
+ .type = vb32.type,
+ .bytesused = vb32.bytesused,
+ .flags = vb32.flags,
+ .field = vb32.field,
+ .timestamp.tv_sec = vb32.timestamp.tv_sec,
+ .timestamp.tv_usec = vb32.timestamp.tv_usec,
+ .timecode = vb32.timecode,
+ .sequence = vb32.sequence,
+ .memory = vb32.memory,
+ .m.userptr = vb32.m.userptr,
+ .length = vb32.length,
+ .request_fd = vb32.request_fd,
};
break;
}
-#endif
- }
}
+#endif
- /* zero out anything we don't copy from userspace */
- if (!err && n < _IOC_SIZE(real_cmd))
- memset((u8 *)parg + n, 0, _IOC_SIZE(real_cmd) - n);
return err;
}
--
2.29.2
Powered by blists - more mailing lists