| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ff0475f0-b48e-ad5d-ae66-54308bf98464@xs4all.nl>
Date: Mon, 4 Sep 2023 09:23:04 +0200
From: Hans Verkuil <hverkuil@...all.nl>
To: Rajeshwar Shinde <coolrrsh@...il.com>, mchehab@...nel.org,
slark_xiao@....com, linux-media@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: linux-kernel-mentees@...ts.linuxfoundation.org,
syzbot+e27f3dbdab04e43b9f73@...kaller.appspotmail.com
Subject: Re: [PATCH v5] media: gspca: cpia1: shift-out-of-bounds in
set_flicker
Relax :-) I'll pick it up the next time I go through simple bug fix patches
like this one, probably in 2-3 weeks or so.
Regards,
Hans
On 02/09/2023 19:56, Rajeshwar Shinde wrote:
> Remainder
>
> On Wed, 30 Aug, 2023, 1:14 pm , <coolrrsh@...il.com <mailto:coolrrsh@...il.com>> wrote:
>
> From: Rajeshwar R Shinde <coolrrsh@...il.com <mailto:coolrrsh@...il.com>>
>
> Syzkaller reported the following issue:
> UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27
> shift exponent 245 is too large for 32-bit type 'int'
>
> When the value of the variable "sd->params.exposure.gain" exceeds the
> number of bits in an integer, a shift-out-of-bounds error is reported. It
> is triggered because the variable "currentexp" cannot be left-shifted by
> more than the number of bits in an integer. In order to avoid invalid
> range during left-shift, the conditional expression is added.
>
>
> Reported-by: syzbot+e27f3dbdab04e43b9f73@...kaller.appspotmail.com <mailto:syzbot%2Be27f3dbdab04e43b9f73@...kaller.appspotmail.com>
> Closes: https://lore.kernel.org/all/20230818164522.12806-1-coolrrsh@gmail.com <https://lore.kernel.org/all/20230818164522.12806-1-coolrrsh@gmail.com>
> Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73
> Signed-off-by <https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73Signed-off-by>: Rajeshwar R Shinde <coolrrsh@...il.com <mailto:coolrrsh@...il.com>>
> ---
> v1->v2
> Changed the patch. Instead of avoiding shift operation for invalid
> input of 'exposure.gain', throw an error for invalid range.
> v2->v3
> Changed the commit message details
> v3->v4
> Removed the trailing spaces in commit message
> v4->v5
> Replaced the hardcoded value with inbuilt macro
> ---
> drivers/media/usb/gspca/cpia1.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c
> index 46ed95483e22..5f5fa851ca64 100644
> --- a/drivers/media/usb/gspca/cpia1.c
> +++ b/drivers/media/usb/gspca/cpia1.c
> @@ -18,6 +18,7 @@
>
> #include <linux/input.h>
> #include <linux/sched/signal.h>
> +#include <linux/bitops.h>
>
> #include "gspca.h"
>
> @@ -1028,6 +1029,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply)
> sd->params.exposure.expMode = 2;
> sd->exposure_status = EXPOSURE_NORMAL;
> }
> + if (sd->params.exposure.gain >= BITS_PER_TYPE(currentexp))
> + return -EINVAL;
> currentexp = currentexp << sd->params.exposure.gain;
> sd->params.exposure.gain = 0;
> /* round down current exposure to nearest value */
> --
> 2.25.1
>
Powered by blists - more mailing lists