LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com,
	Vandana BN <bnvandana@gmail.com>,
	Hans Verkuil <hverkuil-cisco@xs4all.nl>,
	Mauro Carvalho Chehab <mchehab+samsung@kernel.org>,
	Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.19 11/84] media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
Date: Fri, 17 Jan 2020 00:17:45 +0100	[thread overview]
Message-ID: <20200116231714.921855815@linuxfoundation.org> (raw)
In-Reply-To: <20200116231713.087649517@linuxfoundation.org>

From: Vandana BN <bnvandana@gmail.com>

commit 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e upstream.

SyzKaller hit the null pointer deref while reading from uninitialized
udev->product in zr364xx_vidioc_querycap().

==================================================================
BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20
include/linux/compiler.h:274
Read of size 1 at addr 0000000000000000 by task v4l_id/5287

CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xe8/0x16e lib/dump_stack.c:113
  kasan_report.cold+0x5/0x3c mm/kasan/report.c:321
  read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274
  strscpy+0x8a/0x280 lib/string.c:207
  zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706
  v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062
  __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874
  video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056
  v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:509 [inline]
  do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696
  ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713
  __do_sys_ioctl fs/ioctl.c:720 [inline]
  __se_sys_ioctl fs/ioctl.c:718 [inline]
  __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718
  do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f3b56d8b347
Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff
ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64
RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347
RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884
R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000
==================================================================

For this device udev->product is not initialized and accessing it causes a NULL pointer deref.

The fix is to check for NULL before strscpy() and copy empty string, if
product is NULL

Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com
Signed-off-by: Vandana BN <bnvandana@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 4.19: This function uses strlcpy() instead of strscpy()]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/usb/zr364xx/zr364xx.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/media/usb/zr364xx/zr364xx.c
+++ b/drivers/media/usb/zr364xx/zr364xx.c
@@ -703,7 +703,8 @@ static int zr364xx_vidioc_querycap(struc
 	struct zr364xx_camera *cam = video_drvdata(file);
 
 	strlcpy(cap->driver, DRIVER_DESC, sizeof(cap->driver));
-	strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
+	if (cam->udev->product)
+		strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
 	strlcpy(cap->bus_info, dev_name(&cam->udev->dev),
 		sizeof(cap->bus_info));
 	cap->device_caps = V4L2_CAP_VIDEO_CAPTURE |



  parent reply	other threads:[~2020-01-16 23:40 UTC|newest]

Thread overview: 89+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16 23:17 [PATCH 4.19 00/84] 4.19.97-stable review Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 01/84] hidraw: Return EPOLLOUT from hidraw_poll Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 02/84] HID: hidraw: Fix returning " Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 03/84] HID: hidraw, uhid: Always report EPOLLOUT Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 04/84] ethtool: reduce stack usage with clang Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 05/84] fs/select: avoid clang stack usage warning Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 06/84] cfg80211/mac80211: make ieee80211_send_layer2_update a public function Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 07/84] mac80211: Do not send Layer 2 Update frame before authorization Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 08/84] f2fs: Move err variable to function scope in f2fs_fill_dentries() Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 09/84] f2fs: check memory boundary by insane namelen Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 10/84] f2fs: check if file namelen exceeds max value Greg Kroah-Hartman
2020-01-16 23:17 ` Greg Kroah-Hartman [this message]
2020-01-16 23:17 ` [PATCH 4.19 12/84] iwlwifi: dbg_ini: fix memory leak in alloc_sgtable Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 13/84] iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 14/84] RDMA: Fix goto target to release the allocated memory Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 15/84] dccp: Fix memleak in __feat_register_sp Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 16/84] drm/i915: Fix use-after-free when destroying GEM context Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 17/84] rtc: mt6397: fix alarm register overwrite Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 18/84] RDMA/bnxt_re: Avoid freeing MR resources if dereg fails Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 19/84] RDMA/bnxt_re: Fix Send Work Entry state check while polling completions Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 20/84] ASoC: soc-core: Set dpcm_playback / dpcm_capture Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 21/84] ASoC: stm32: spdifrx: fix inconsistent lock state Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 22/84] ASoC: stm32: spdifrx: fix race condition in irq handler Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 23/84] mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 24/84] gpio: zynq: Fix for bug in zynq_gpio_restore_context API Greg Kroah-Hartman
2020-01-16 23:17 ` [PATCH 4.19 25/84] iommu: Remove device link to group on failure Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 26/84] gpio: Fix error message on out-of-range GPIO in lookup table Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 27/84] hsr: reset network header when supervision frame is created Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 28/84] s390/qeth: fix false reporting of VNIC CHAR config failure Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 29/84] s390/qeth: Fix vnicc_is_in_use if rx_bcast not set Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 30/84] cifs: Adjust indentation in smb2_open_file Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 31/84] afs: Fix missing cell comparison in afs_test_super() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 32/84] drm/ttm: fix start page for huge page check in ttm_put_pages() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 33/84] drm/ttm: fix incrementing the page pointer for huge pages Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 34/84] btrfs: simplify inode locking for RWF_NOWAIT Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 35/84] RDMA/mlx5: Return proper error value Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 36/84] RDMA/srpt: Report the SCSI residual to the initiator Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 37/84] scsi: enclosure: Fix stale device oops with hot replug Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 38/84] scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 39/84] platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 40/84] platform/x86: GPD pocket fan: Use default values when wrong modparams are given Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 41/84] xprtrdma: Fix completion wait during device removal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 42/84] crypto: virtio - implement missing support for output IVs Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 43/84] NFSv2: Fix a typo in encode_sattr() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 44/84] NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 45/84] iio: imu: adis16480: assign bias value only if operation succeeded Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 46/84] mei: fix modalias documentation Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 47/84] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 48/84] pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 49/84] pinctrl: lewisburg: Update pin list according to v1.1v6 Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 50/84] scsi: sd: enable compat ioctls for sed-opal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 51/84] arm64: dts: apq8096-db820c: Increase load on l21 for SDCARD Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 52/84] af_unix: add compat_ioctl support Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 53/84] compat_ioctl: handle SIOCOUTQNSD Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 54/84] PCI: dwc: Fix find_next_bit() usage Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 55/84] PCI/PTM: Remove spurious "d" from granularity message Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 56/84] powerpc/powernv: Disable native PCIe port management Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 57/84] tty: serial: imx: use the sg count from dma_map_sg Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 58/84] tty: serial: pch_uart: correct usage of dma_unmap_sg Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 59/84] media: ov6650: Fix incorrect use of JPEG colorspace Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 60/84] media: ov6650: Fix some format attributes not under control Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 61/84] media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 62/84] media: rcar-vin: Fix incorrect return statement in rvin_try_format() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 63/84] media: v4l: cadence: Fix how unsued lanes are handled in csi2rx_start() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 64/84] media: exynos4-is: Fix recursive locking in isp_video_release() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 65/84] iommu/mediatek: Correct the flush_iotlb_all callback Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 66/84] mtd: spi-nor: fix silent truncation in spi_nor_read() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 67/84] mtd: spi-nor: fix silent truncation in spi_nor_read_raw() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 68/84] spi: atmel: fix handling of cs_change set on non-last xfer Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 69/84] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 70/84] f2fs: fix potential overflow Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 71/84] rtc: msm6242: Fix reading of 10-hour digit Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 72/84] rtc: brcmstb-waketimer: add missed clk_disable_unprepare Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 73/84] gpio: mpc8xxx: Add platform device to gpiochip->parent Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 74/84] scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 75/84] selftests: firmware: Fix it to do root uid check and skip Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 76/84] rseq/selftests: Turn off timeout setting Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 77/84] mips: cacheinfo: report shared CPU map Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 78/84] MIPS: Prevent link failure with kcov instrumentation Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 79/84] drm/arm/mali: make malidp_mw_connector_helper_funcs static Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 80/84] dmaengine: k3dma: Avoid null pointer traversal Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 81/84] ioat: ioat_alloc_ring() failure handling Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 82/84] hexagon: parenthesize registers in asm predicates Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 83/84] hexagon: work around compiler crash Greg Kroah-Hartman
2020-01-16 23:18 ` [PATCH 4.19 84/84] ocfs2: call journal flush to mark journal as empty after journal recovery when mount Greg Kroah-Hartman
2020-01-17 13:20 ` [PATCH 4.19 00/84] 4.19.97-stable review Jon Hunter
2020-01-17 14:18 ` Naresh Kamboju
2020-01-17 16:01 ` Guenter Roeck
2020-01-17 16:06 ` shuah

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200116231714.921855815@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=ben.hutchings@codethink.co.uk \
    --cc=bnvandana@gmail.com \
    --cc=hverkuil-cisco@xs4all.nl \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mchehab+samsung@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com \
    --subject='Re: [PATCH 4.19 11/84] media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).