summaryrefslogtreecommitdiff
path: root/drivers/media/usb/gspca/sonixj.c
diff options
context:
space:
mode:
authorHans Verkuil <hverkuil-cisco@xs4all.nl>2019-08-16 03:38:13 -0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2019-10-05 12:47:50 +0200
commitd2f33830a8046f14474120b4dae4d71ee668ec18 (patch)
tree202e3f8649f94d3885d4f69b5190b5154ec988cc /drivers/media/usb/gspca/sonixj.c
parent590580691705bfca8a9979ae781e75df29dec3e1 (diff)
media: gspca: zero usb_buf on error
[ Upstream commit 4843a543fad3bf8221cf14e5d5f32d15cee89e84 ] If reg_r() fails, then gspca_dev->usb_buf was left uninitialized, and some drivers used the contents of that buffer in logic. This caused several syzbot errors: https://syzkaller.appspot.com/bug?extid=397fd082ce5143e2f67d https://syzkaller.appspot.com/bug?extid=1a35278dd0ebfb3a038a https://syzkaller.appspot.com/bug?extid=06ddf1788cfd048c5e82 I analyzed the gspca drivers and zeroed the buffer where needed. Reported-and-tested-by: syzbot+1a35278dd0ebfb3a038a@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+397fd082ce5143e2f67d@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+06ddf1788cfd048c5e82@syzkaller.appspotmail.com Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/media/usb/gspca/sonixj.c')
-rw-r--r--drivers/media/usb/gspca/sonixj.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/media/usb/gspca/sonixj.c b/drivers/media/usb/gspca/sonixj.c
index 5eeaf16ac5e8..c53002a5ccb7 100644
--- a/drivers/media/usb/gspca/sonixj.c
+++ b/drivers/media/usb/gspca/sonixj.c
@@ -1170,6 +1170,11 @@ static void reg_r(struct gspca_dev *gspca_dev,
if (ret < 0) {
pr_err("reg_r err %d\n", ret);
gspca_dev->usb_err = ret;
+ /*
+ * Make sure the buffer is zeroed to avoid uninitialized
+ * values.
+ */
+ memset(gspca_dev->usb_buf, 0, USB_BUF_SZ);
}
}
generated by cgit v1.2.3 (git 2.0.4) at 2024-05-22 00:21:33 +0000