diff options
author | Hans Verkuil <hverkuil-cisco@xs4all.nl> | 2019-08-16 03:38:13 -0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-05 12:47:50 +0200 |
commit | d2f33830a8046f14474120b4dae4d71ee668ec18 (patch) | |
tree | 202e3f8649f94d3885d4f69b5190b5154ec988cc /drivers/media/usb/gspca/sonixb.c | |
parent | 590580691705bfca8a9979ae781e75df29dec3e1 (diff) |
media: gspca: zero usb_buf on error
[ Upstream commit 4843a543fad3bf8221cf14e5d5f32d15cee89e84 ]
If reg_r() fails, then gspca_dev->usb_buf was left uninitialized,
and some drivers used the contents of that buffer in logic.
This caused several syzbot errors:
https://syzkaller.appspot.com/bug?extid=397fd082ce5143e2f67d
https://syzkaller.appspot.com/bug?extid=1a35278dd0ebfb3a038a
https://syzkaller.appspot.com/bug?extid=06ddf1788cfd048c5e82
I analyzed the gspca drivers and zeroed the buffer where needed.
Reported-and-tested-by: syzbot+1a35278dd0ebfb3a038a@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+397fd082ce5143e2f67d@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+06ddf1788cfd048c5e82@syzkaller.appspotmail.com
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/media/usb/gspca/sonixb.c')
-rw-r--r-- | drivers/media/usb/gspca/sonixb.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/media/usb/gspca/sonixb.c b/drivers/media/usb/gspca/sonixb.c index 5f3f2979540a..22de65d840dd 100644 --- a/drivers/media/usb/gspca/sonixb.c +++ b/drivers/media/usb/gspca/sonixb.c @@ -462,6 +462,11 @@ static void reg_r(struct gspca_dev *gspca_dev, dev_err(gspca_dev->v4l2_dev.dev, "Error reading register %02x: %d\n", value, res); gspca_dev->usb_err = res; + /* + * Make sure the result is zeroed to avoid uninitialized + * values. + */ + gspca_dev->usb_buf[0] = 0; } } |