| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_A536BA4B40741D769567D23CF5373096CA09@qq.com> Date: Tue, 3 Sep 2024 10:57:55 +0800 From: Edward Adam Davis <eadavis@...com> To: syzbot+a828133770f62293563e@...kaller.appspotmail.com Cc: linux-kernel@...r.kernel.org, linux-media@...r.kernel.org, mchehab@...nel.org, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] [media?] WARNING in __v4l2_ctrl_modify_dimensions The warning appears because the size passed to kvzalloc is larger than INT_MAX. Add parameter size check before calling kvzalloc in __v4l2_ctrl_modify_dimensions. #syz test diff --git a/drivers/media/v4l2-core/v4l2-ctrls-api.c b/drivers/media/v4l2-core/v4l2-ctrls-api.c index e5a364efd5e6..0b008cc94901 100644 --- a/drivers/media/v4l2-core/v4l2-ctrls-api.c +++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c @@ -986,6 +986,7 @@ int __v4l2_ctrl_modify_dimensions(struct v4l2_ctrl *ctrl, unsigned int elems = 1; unsigned int i; void *p_array; + unsigned int bytes; lockdep_assert_held(ctrl->handler->lock); @@ -996,7 +997,12 @@ int __v4l2_ctrl_modify_dimensions(struct v4l2_ctrl *ctrl, elems *= dims[i]; if (elems == 0) return -EINVAL; - p_array = kvzalloc(2 * elems * ctrl->elem_size, GFP_KERNEL); + + bytes = 2 * elems * ctrl->elem_size; + if (unlikely(bytes > INT_MAX)) + return -EINVAL; + + p_array = kvzalloc(bytes, GFP_KERNEL); if (!p_array) return -ENOMEM; kvfree(ctrl->p_array);
Powered by blists - more mailing lists