| Message ID | 20230717-uvc-oob-v2-1-c7745a8d5847@chromium.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:c923:0:b0:3e4:2afc:c1 with SMTP id j3csp3288339vqt;
Thu, 20 Jul 2023 10:58:03 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlG547QwsrCPpdvRP9+Jjgo5HDb7qqAtnaXAALWAzf4rPg1//aQ/M5QTSNmb1R4d5yBI2GJR
X-Received: by 2002:a17:906:77cf:b0:993:d47f:3c84 with SMTP id
m15-20020a17090677cf00b00993d47f3c84mr6176572ejn.7.1689875883021;
Thu, 20 Jul 2023 10:58:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689875883; cv=none;
d=google.com; s=arc-20160816;
b=FcnePePA/R0BJ8IWSKhHQboxbMyHk68nHproqEALsSZC6zCNRdy+zaTLJ7WPohnPXC
8Xw8dF+hE6k078rsIj7Xr/GnNNgZH50K2dDvm+PxD7HhSi1qXtzEeR2d0HhdbN+DqJri
DDNgs+ExAY7GhHQ4GmiFrW8q+hvmEyEMogV/Xdrdb+aGwr/YJ8ERtpadX+kO3AwStrRX
iQjKtTzFxQSFN7LDbxdXX8l/jB56lF4CVp6MNDRcQHwTnO10N3wTbYFG0SJi05c8iTNa
xgs3jzeDEEcgagPmscb6rE/uztnqkGXwEiIt+Xf0fJOI8P0hMYh22jn73A5cR+80t5wb
ORKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:cc:to:message-id:content-transfer-encoding
:mime-version:subject:date:from:dkim-signature;
bh=7PTH7Prt/pfWwGYiTl5+rTN2hsFZvF/29kSRnDb2688=;
fh=8j97UHf8TGO2WhM7U41Fn0t7VMAW5OlQm0+RWCSw63g=;
b=Ypsqd1j2kGMNjL5Wo3Gidz0Rjmn9+2clsc5sBsmf8fl696cgfDBNya+oEPuCVFL0yc
867fsq+o01nqAkA4fvtp+EOX29cwEoii9FdHbXGlOnUHPwwFsiRnumN9J3PI5so7DbxN
gA0O13+f4JRkB98maohOnqvQX9FJUIWGBdNJl0WtJuN7rOM7Nx+IX7uLndVLUyfAujVt
xyUA/c9cjZVm5ow5Zqlq3rBejjWPPixUWbxf9+npYNipJpC6QzEhHr0ET1zXf20PQ3ef
quDFEcGIgrGoYo/Gdotmkvt89OpYdDPf4AKKxLnb1GdPHj6qu3hR2FWEXWwsOqBj72JI
7rhA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=DFCv5uuh;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ga23-20020a170906b85700b00983f499fbd7si998553ejb.836.2023.07.20.10.57.38;
Thu, 20 Jul 2023 10:58:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@chromium.org header.s=google header.b=DFCv5uuh;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229922AbjGTRrA (ORCPT <rfc822;assdfgzxcv4@gmail.com>
+ 99 others); Thu, 20 Jul 2023 13:47:00 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42144 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229914AbjGTRq7 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 20 Jul 2023 13:46:59 -0400
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com
[IPv6:2607:f8b0:4864:20::834])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E197E1726
for <linux-kernel@vger.kernel.org>;
Thu, 20 Jul 2023 10:46:57 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id
d75a77b69052e-403a72df0a6so8188261cf.2
for <linux-kernel@vger.kernel.org>;
Thu, 20 Jul 2023 10:46:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chromium.org; s=google; t=1689875217; x=1690480017;
h=cc:to:message-id:content-transfer-encoding:mime-version:subject
:date:from:from:to:cc:subject:date:message-id:reply-to;
bh=7PTH7Prt/pfWwGYiTl5+rTN2hsFZvF/29kSRnDb2688=;
b=DFCv5uuhflgC21zhEPekgbavRuDkr3IVmUsh+LH26iUvYKgqWF3IcFmpU2NVi/2Y7U
ae2+dUIQrv7yeUPD+oZLfZ3cf4gNh+2JNlmXJgEshBPWmVDkZQjF38ln6kDJZJf0NBP3
crXWx2U26X9slVd2QOkH7+TSHX61ylKX9p8Kw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1689875217; x=1690480017;
h=cc:to:message-id:content-transfer-encoding:mime-version:subject
:date:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=7PTH7Prt/pfWwGYiTl5+rTN2hsFZvF/29kSRnDb2688=;
b=l0VrHdOHvVnUhAFvLEccdzOjmPtpynRVqnh+G65bZwwgEh8ptTcpvmXaWiVHgoIM/H
N+Afz4yzDBJpTPk1VK0+D9qckq4+tUM4kcJA5LB/9Ejk3DxhGYHTg3blEZQGA8VJtHZ8
F65CHzIovCzVmN0vFKJuvRRny6NA23Mg3JHCEj45dE2KpiH2wEbPKJ2V3pX/jZZDHTz9
ReKtBO1of9aEl+nePyx75Mlqd86WFG/NwFqU/h6JMs+dCBRFHP5DI5/3+oUOo9x8vP7z
78PWQRa14Qds6PzseBNcrSomzPUTbFZfWrz3MnHlaXJy+xgW6E6o1Tay5AKq2++OTe44
PUbw==
X-Gm-Message-State: ABy/qLYoDgkG9X8XQDaKyjcvOeYPRrVsQS9KdTKjAwGMxwp0xPYZMqPP
PYlSiBJ6gAeAzZgZ1gfrESy8+w==
X-Received: by 2002:a05:622a:174f:b0:403:ab02:e827 with SMTP id
l15-20020a05622a174f00b00403ab02e827mr6699364qtk.62.1689875217009;
Thu, 20 Jul 2023 10:46:57 -0700 (PDT)
Received: from denia.c.googlers.com (122.213.145.34.bc.googleusercontent.com.
[34.145.213.122])
by smtp.gmail.com with ESMTPSA id
b20-20020ac85414000000b0040541a8bd66sm574379qtq.60.2023.07.20.10.46.56
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 20 Jul 2023 10:46:56 -0700 (PDT)
From: Ricardo Ribalda <ribalda@chromium.org>
Date: Thu, 20 Jul 2023 17:46:54 +0000
Subject: [PATCH v2] media: uvcvideo: Fix OOB read
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20230717-uvc-oob-v2-1-c7745a8d5847@chromium.org>
X-B4-Tracking: v=1; b=H4sIAA1zuWQC/2WNwQ7CIBBEf6Xh7BqgmKon/8P0wNJt4dBiFks0T
f9d6NXjm3mZ2UQiDpTEvdkEUw4pxKWAPjXCebtMBGEoLLTUrexUB2t2ECOCQanM1UppVCeKjTY
RINvF+epXhckOtXoxjeFznDz7wj6kd+Tv8ZlVTf/nswIF4wVvaCzaFs3DeY5zWOdz5En0+77/A
Mhoyne8AAAA
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
Sergey Senozhatsky <senozhatsky@chromium.org>,
stable@kernel.org, Zubin Mithra <zsm@chromium.org>,
Ricardo Ribalda <ribalda@chromium.org>
X-Mailer: b4 0.12.2
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1771963293416604830
X-GMAIL-MSGID: 1771963293416604830
|
| Series |
[v2] media: uvcvideo: Fix OOB read
|
|
Commit Message
Ricardo Ribalda
July 20, 2023, 5:46 p.m. UTC
If the index provided by the user is bigger than the mask size, we might do an
out of bound read.
CC: stable@kernel.org
Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU")
Reported-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
Avoid reading index >= 31
---
Changes in v2:
- Use BITS_PER_TYPE instead of 32 (thanks Sergey).
- Add Reported-by tag.
- Link to v1: https://lore.kernel.org/r/20230717-uvc-oob-v1-1-f5b9b4aba3b4@chromium.org
---
drivers/media/usb/uvc/uvc_ctrl.c | 3 +++
1 file changed, 3 insertions(+)
---
base-commit: fdf0eaf11452d72945af31804e2a1048ee1b574c
change-id: 20230717-uvc-oob-4b0148a00417
Best regards,
Comments
On (23/07/20 17:46), Ricardo Ribalda wrote: > > If the index provided by the user is bigger than the mask size, we might do an > out of bound read. > > CC: stable@kernel.org > Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU") > Reported-by: Zubin Mithra <zsm@chromium.org> > Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Hi Ricardo, Thank you for the patch. On Thu, Jul 20, 2023 at 05:46:54PM +0000, Ricardo Ribalda wrote: > If the index provided by the user is bigger than the mask size, we might do an > out of bound read. > > CC: stable@kernel.org > Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU") > Reported-by: Zubin Mithra <zsm@chromium.org> checkpatch now requests a Reported-by tag to be immediately followed by a Closes tag that contains the URL to the report. Could you please provide that ? > Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> > --- > Avoid reading index >= 31 > --- > Changes in v2: > - Use BITS_PER_TYPE instead of 32 (thanks Sergey). > - Add Reported-by tag. > - Link to v1: https://lore.kernel.org/r/20230717-uvc-oob-v1-1-f5b9b4aba3b4@chromium.org > --- > drivers/media/usb/uvc/uvc_ctrl.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c > index 5e9d3da862dd..e59a463c2761 100644 > --- a/drivers/media/usb/uvc/uvc_ctrl.c > +++ b/drivers/media/usb/uvc/uvc_ctrl.c > @@ -1402,6 +1402,9 @@ int uvc_query_v4l2_menu(struct uvc_video_chain *chain, > query_menu->id = id; > query_menu->index = index; > > + if (index >= BITS_PER_TYPE(mapping->menu_mask)) > + return -EINVAL; > + I'd move this a few lines up, before setting query_menu. With those minor changes, Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> There's no need for a v3, I can handle the changes locally, but I need the URL for the Closes tag. > ret = mutex_lock_interruptible(&chain->ctrl_mutex); > if (ret < 0) > return -ERESTARTSYS; > > --- > base-commit: fdf0eaf11452d72945af31804e2a1048ee1b574c > change-id: 20230717-uvc-oob-4b0148a00417
Hi Laurent Thanks for the review! On Tue, 25 Jul 2023 at 23:34, Laurent Pinchart <laurent.pinchart@ideasonboard.com> wrote: > > Hi Ricardo, > > Thank you for the patch. > > On Thu, Jul 20, 2023 at 05:46:54PM +0000, Ricardo Ribalda wrote: > > If the index provided by the user is bigger than the mask size, we might do an > > out of bound read. > > > > CC: stable@kernel.org > > Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU") > > Reported-by: Zubin Mithra <zsm@chromium.org> > > checkpatch now requests a Reported-by tag to be immediately followed by > a Closes tag that contains the URL to the report. Could you please > provide that ? > I saw that, but the URL is kind of private: Closes: http://issuetracker.google.com/issues/289975230 > > Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> > > --- > > Avoid reading index >= 31 > > --- > > Changes in v2: > > - Use BITS_PER_TYPE instead of 32 (thanks Sergey). > > - Add Reported-by tag. > > - Link to v1: https://lore.kernel.org/r/20230717-uvc-oob-v1-1-f5b9b4aba3b4@chromium.org > > --- > > drivers/media/usb/uvc/uvc_ctrl.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c > > index 5e9d3da862dd..e59a463c2761 100644 > > --- a/drivers/media/usb/uvc/uvc_ctrl.c > > +++ b/drivers/media/usb/uvc/uvc_ctrl.c > > @@ -1402,6 +1402,9 @@ int uvc_query_v4l2_menu(struct uvc_video_chain *chain, > > query_menu->id = id; > > query_menu->index = index; > > > > + if (index >= BITS_PER_TYPE(mapping->menu_mask)) > > + return -EINVAL; > > + > > I'd move this a few lines up, before setting query_menu. > SGTM, I just wanted to clear all the fields to mimic the other error paths of the function. > With those minor changes, > > Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > There's no need for a v3, I can handle the changes locally, but I need > the URL for the Closes tag. > > > ret = mutex_lock_interruptible(&chain->ctrl_mutex); > > if (ret < 0) > > return -ERESTARTSYS; > > > > --- > > base-commit: fdf0eaf11452d72945af31804e2a1048ee1b574c > > change-id: 20230717-uvc-oob-4b0148a00417 > > -- > Regards, > > Laurent Pinchart
Hi Ricardo, (CC'ing Kai and Thorsten who have added the check to checkpatch) On Wed, Jul 26, 2023 at 08:24:50AM +0200, Ricardo Ribalda wrote: > On Tue, 25 Jul 2023 at 23:34, Laurent Pinchart wrote: > > On Thu, Jul 20, 2023 at 05:46:54PM +0000, Ricardo Ribalda wrote: > > > If the index provided by the user is bigger than the mask size, we might do an > > > out of bound read. > > > > > > CC: stable@kernel.org > > > Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU") > > > Reported-by: Zubin Mithra <zsm@chromium.org> > > > > checkpatch now requests a Reported-by tag to be immediately followed by > > a Closes tag that contains the URL to the report. Could you please > > provide that ? > > I saw that, but the URL is kind of private: > > Closes: http://issuetracker.google.com/issues/289975230 Ah :-S I wonder if we should drop the Reported-by tag then ? > > > Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> > > > --- > > > Avoid reading index >= 31 > > > --- > > > Changes in v2: > > > - Use BITS_PER_TYPE instead of 32 (thanks Sergey). > > > - Add Reported-by tag. > > > - Link to v1: https://lore.kernel.org/r/20230717-uvc-oob-v1-1-f5b9b4aba3b4@chromium.org > > > --- > > > drivers/media/usb/uvc/uvc_ctrl.c | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c > > > index 5e9d3da862dd..e59a463c2761 100644 > > > --- a/drivers/media/usb/uvc/uvc_ctrl.c > > > +++ b/drivers/media/usb/uvc/uvc_ctrl.c > > > @@ -1402,6 +1402,9 @@ int uvc_query_v4l2_menu(struct uvc_video_chain *chain, > > > query_menu->id = id; > > > query_menu->index = index; > > > > > > + if (index >= BITS_PER_TYPE(mapping->menu_mask)) > > > + return -EINVAL; > > > + > > > > I'd move this a few lines up, before setting query_menu. > > SGTM, I just wanted to clear all the fields to mimic the other error > paths of the function. I'm fine with that too if you prefer. > > With those minor changes, > > > > Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > > > There's no need for a v3, I can handle the changes locally, but I need > > the URL for the Closes tag. > > > > > ret = mutex_lock_interruptible(&chain->ctrl_mutex); > > > if (ret < 0) > > > return -ERESTARTSYS; > > > > > > --- > > > base-commit: fdf0eaf11452d72945af31804e2a1048ee1b574c > > > change-id: 20230717-uvc-oob-4b0148a00417
On 26.07.23 10:07, Laurent Pinchart wrote: > (CC'ing Kai and Thorsten who have added the check to checkpatch) > > On Wed, Jul 26, 2023 at 08:24:50AM +0200, Ricardo Ribalda wrote: >> On Tue, 25 Jul 2023 at 23:34, Laurent Pinchart wrote: >>> On Thu, Jul 20, 2023 at 05:46:54PM +0000, Ricardo Ribalda wrote: >>>> If the index provided by the user is bigger than the mask size, we might do an >>>> out of bound read. >>>> >>>> CC: stable@kernel.org >>>> Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU") >>>> Reported-by: Zubin Mithra <zsm@chromium.org> >>> >>> checkpatch now requests a Reported-by tag to be immediately followed by >>> a Closes Not that it matters, the changes I performed only required a Link: tag, which is how things should have been done for many years already. It later became Closes: due to patches from Matthieu. But whatever. :-D >>> tag that contains the URL to the report. Could you please >>> provide that ? >> I saw that, but the URL is kind of private: >> Closes: http://issuetracker.google.com/issues/289975230 > Ah :-S I wonder if we should drop the Reported-by tag then ? That's what I do, unless the reporter granted his permission. To quote Documentation/process/5.Posting.rst : ```Be careful in the addition of tags to your patches, as only Cc: is appropriate for addition without the explicit permission of the person named; using Reported-by: is fine most of the time as well, but ask for permission if the bug was reported in private.``` I heard of on instance where a GDPR complaint was filed due to a Reported-by: tag. So maybe that part should be even revisited reg. the Cc: aspect. :-/ Ciao, Thorsten
Hi Laurent On Wed, 26 Jul 2023 at 10:07, Laurent Pinchart <laurent.pinchart@ideasonboard.com> wrote: > > Hi Ricardo, > > (CC'ing Kai and Thorsten who have added the check to checkpatch) > > On Wed, Jul 26, 2023 at 08:24:50AM +0200, Ricardo Ribalda wrote: > > On Tue, 25 Jul 2023 at 23:34, Laurent Pinchart wrote: > > > On Thu, Jul 20, 2023 at 05:46:54PM +0000, Ricardo Ribalda wrote: > > > > If the index provided by the user is bigger than the mask size, we might do an > > > > out of bound read. > > > > > > > > CC: stable@kernel.org > > > > Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU") > > > > Reported-by: Zubin Mithra <zsm@chromium.org> > > > > > > checkpatch now requests a Reported-by tag to be immediately followed by > > > a Closes tag that contains the URL to the report. Could you please > > > provide that ? > > > > I saw that, but the URL is kind of private: > > > > Closes: http://issuetracker.google.com/issues/289975230 > > Ah :-S I wonder if we should drop the Reported-by tag then ? > > > > > Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> > > > > --- > > > > Avoid reading index >= 31 > > > > --- > > > > Changes in v2: > > > > - Use BITS_PER_TYPE instead of 32 (thanks Sergey). > > > > - Add Reported-by tag. > > > > - Link to v1: https://lore.kernel.org/r/20230717-uvc-oob-v1-1-f5b9b4aba3b4@chromium.org > > > > --- > > > > drivers/media/usb/uvc/uvc_ctrl.c | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c > > > > index 5e9d3da862dd..e59a463c2761 100644 > > > > --- a/drivers/media/usb/uvc/uvc_ctrl.c > > > > +++ b/drivers/media/usb/uvc/uvc_ctrl.c > > > > @@ -1402,6 +1402,9 @@ int uvc_query_v4l2_menu(struct uvc_video_chain *chain, > > > > query_menu->id = id; > > > > query_menu->index = index; > > > > > > > > + if (index >= BITS_PER_TYPE(mapping->menu_mask)) > > > > + return -EINVAL; > > > > + > > > > > > I'd move this a few lines up, before setting query_menu. > > > > SGTM, I just wanted to clear all the fields to mimic the other error > > paths of the function. > > I'm fine with that too if you prefer. Your call. I prefer my version, but I am of course biased :P > > > > With those minor changes, > > > > > > Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > > > > > There's no need for a v3, I can handle the changes locally, but I need > > > the URL for the Closes tag. > > > > > > > ret = mutex_lock_interruptible(&chain->ctrl_mutex); > > > > if (ret < 0) > > > > return -ERESTARTSYS; > > > > > > > > --- > > > > base-commit: fdf0eaf11452d72945af31804e2a1048ee1b574c > > > > change-id: 20230717-uvc-oob-4b0148a00417 > > -- > Regards, > > Laurent Pinchart
Hi Thorsten On Wed, 26 Jul 2023 at 10:33, Thorsten Leemhuis <linux@leemhuis.info> wrote: > > On 26.07.23 10:07, Laurent Pinchart wrote: > > (CC'ing Kai and Thorsten who have added the check to checkpatch) > > > > On Wed, Jul 26, 2023 at 08:24:50AM +0200, Ricardo Ribalda wrote: > >> On Tue, 25 Jul 2023 at 23:34, Laurent Pinchart wrote: > >>> On Thu, Jul 20, 2023 at 05:46:54PM +0000, Ricardo Ribalda wrote: > >>>> If the index provided by the user is bigger than the mask size, we might do an > >>>> out of bound read. > >>>> > >>>> CC: stable@kernel.org > >>>> Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU") > >>>> Reported-by: Zubin Mithra <zsm@chromium.org> > >>> > >>> checkpatch now requests a Reported-by tag to be immediately followed by > >>> a Closes > > Not that it matters, the changes I performed only required a Link: tag, > which is how things should have been done for many years already. It > later became Closes: due to patches from Matthieu. But whatever. :-D > I prefer to leave the Reported-by and remove the Closes, that way we credit the reporter (assuming they approved to be referred). But if that is not possible, just remove the reported-by. A private link is pretty much noise on the tree. Thanks! > >>> tag that contains the URL to the report. Could you please > >>> provide that ? > >> I saw that, but the URL is kind of private: > >> Closes: http://issuetracker.google.com/issues/289975230 > > Ah :-S I wonder if we should drop the Reported-by tag then ? > > That's what I do, unless the reporter granted his permission. To quote > Documentation/process/5.Posting.rst : ```Be careful in the addition of > tags to your patches, as only Cc: is appropriate for addition without > the explicit permission of the person named; using Reported-by: is fine > most of the time as well, but ask for permission if the bug was reported > in private.``` > > I heard of on instance where a GDPR complaint was filed due to a > Reported-by: tag. So maybe that part should be even revisited reg. the > Cc: aspect. :-/ > > Ciao, Thorsten
On 26.07.23 10:38, Ricardo Ribalda wrote: > On Wed, 26 Jul 2023 at 10:33, Thorsten Leemhuis <linux@leemhuis.info> wrote: >> On 26.07.23 10:07, Laurent Pinchart wrote: >>> (CC'ing Kai and Thorsten who have added the check to checkpatch) >>> >>> On Wed, Jul 26, 2023 at 08:24:50AM +0200, Ricardo Ribalda wrote: >>>> On Tue, 25 Jul 2023 at 23:34, Laurent Pinchart wrote: >>>>> On Thu, Jul 20, 2023 at 05:46:54PM +0000, Ricardo Ribalda wrote: >>>>>> If the index provided by the user is bigger than the mask size, we might do an >>>>>> out of bound read. >>>>>> >>>>>> CC: stable@kernel.org >>>>>> Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU") >>>>>> Reported-by: Zubin Mithra <zsm@chromium.org> >>>>> >>>>> checkpatch now requests a Reported-by tag to be immediately followed by >>>>> a Closes >> >> Not that it matters, the changes I performed only required a Link: tag, >> which is how things should have been done for many years already. It >> later became Closes: due to patches from Matthieu. But whatever. :-D > > I prefer to leave the Reported-by and remove the Closes, that way we > credit the reporter (assuming they approved to be referred). > > But if that is not possible, just remove the reported-by. A private > link is pretty much noise on the tree. Yeah, of course that's the right strategy (Linus made it pretty clear that he doesn't want any private links) in case the reporter okay with the Reported-by. Sorry, forgot to cover that case in my reply. Ciao, Thorsten
On Wed, Jul 26, 2023 at 10:47:46AM +0200, Thorsten Leemhuis wrote: > On 26.07.23 10:38, Ricardo Ribalda wrote: > > On Wed, 26 Jul 2023 at 10:33, Thorsten Leemhuis <linux@leemhuis.info> wrote: > >> On 26.07.23 10:07, Laurent Pinchart wrote: > >>> (CC'ing Kai and Thorsten who have added the check to checkpatch) > >>> > >>> On Wed, Jul 26, 2023 at 08:24:50AM +0200, Ricardo Ribalda wrote: > >>>> On Tue, 25 Jul 2023 at 23:34, Laurent Pinchart wrote: > >>>>> On Thu, Jul 20, 2023 at 05:46:54PM +0000, Ricardo Ribalda wrote: > >>>>>> If the index provided by the user is bigger than the mask size, we might do an > >>>>>> out of bound read. > >>>>>> > >>>>>> CC: stable@kernel.org > >>>>>> Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU") > >>>>>> Reported-by: Zubin Mithra <zsm@chromium.org> > >>>>> > >>>>> checkpatch now requests a Reported-by tag to be immediately followed by > >>>>> a Closes > >> > >> Not that it matters, the changes I performed only required a Link: tag, > >> which is how things should have been done for many years already. It > >> later became Closes: due to patches from Matthieu. But whatever. :-D > > > > I prefer to leave the Reported-by and remove the Closes, that way we > > credit the reporter (assuming they approved to be referred). > > > > But if that is not possible, just remove the reported-by. A private > > link is pretty much noise on the tree. > > Yeah, of course that's the right strategy (Linus made it pretty clear > that he doesn't want any private links) in case the reporter okay with > the Reported-by. Sorry, forgot to cover that case in my reply. > I don't have a preference either way. Please feel free to remove the reported-by tag. Thanks, - Zubin > Ciao, Thorsten
On Wed, Jul 26, 2023 at 10:47:46AM +0200, Thorsten Leemhuis wrote: > On 26.07.23 10:38, Ricardo Ribalda wrote: > > On Wed, 26 Jul 2023 at 10:33, Thorsten Leemhuis <linux@leemhuis.info> wrote: > >> On 26.07.23 10:07, Laurent Pinchart wrote: > >>> (CC'ing Kai and Thorsten who have added the check to checkpatch) > >>> > >>> On Wed, Jul 26, 2023 at 08:24:50AM +0200, Ricardo Ribalda wrote: > >>>> On Tue, 25 Jul 2023 at 23:34, Laurent Pinchart wrote: > >>>>> On Thu, Jul 20, 2023 at 05:46:54PM +0000, Ricardo Ribalda wrote: > >>>>>> If the index provided by the user is bigger than the mask size, we might do an > >>>>>> out of bound read. > >>>>>> > >>>>>> CC: stable@kernel.org > >>>>>> Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU") > >>>>>> Reported-by: Zubin Mithra <zsm@chromium.org> > >>>>> > >>>>> checkpatch now requests a Reported-by tag to be immediately followed by > >>>>> a Closes > >> > >> Not that it matters, the changes I performed only required a Link: tag, > >> which is how things should have been done for many years already. It > >> later became Closes: due to patches from Matthieu. But whatever. :-D > > > > I prefer to leave the Reported-by and remove the Closes, that way we > > credit the reporter (assuming they approved to be referred). > > > > But if that is not possible, just remove the reported-by. A private > > link is pretty much noise on the tree. > > Yeah, of course that's the right strategy (Linus made it pretty clear > that he doesn't want any private links) in case the reporter okay with > the Reported-by. Sorry, forgot to cover that case in my reply. I'll keep the Reported-by and omit the Link/Closes tags.
diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index 5e9d3da862dd..e59a463c2761 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -1402,6 +1402,9 @@ int uvc_query_v4l2_menu(struct uvc_video_chain *chain, query_menu->id = id; query_menu->index = index; + if (index >= BITS_PER_TYPE(mapping->menu_mask)) + return -EINVAL; + ret = mutex_lock_interruptible(&chain->ctrl_mutex); if (ret < 0) return -ERESTARTSYS;