From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Date: Mon, 21 Mar 2022 08:33:56 +0000 (+0000)
Subject: media: v4l2-compat-ioctl32.c: zero buffer passed to v4l2_compat_get_array_args()
X-Git-Tag: v5.15.73~72
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a6a3b6b11ac0f6edeab66c6b4fb7650108e17a94;p=platform%2Fkernel%2Flinux-rpi.git

media: v4l2-compat-ioctl32.c: zero buffer passed to v4l2_compat_get_array_args()

commit 4e768c8e34e639cff66a0f175bc4aebf472e4305 upstream.

The v4l2_compat_get_array_args() function can leave uninitialized memory in the
buffer it is passed. So zero it before copying array elements from userspace
into the buffer.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: syzbot+ff18193ff05f3f87f226@syzkaller.appspotmail.com
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index 80aaf07..94037af 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -1033,6 +1033,8 @@ int v4l2_compat_get_array_args(struct file *file, void *mbuf,
 {
 	int err = 0;
 
+	memset(mbuf, 0, array_size);
+
 	switch (cmd) {
 	case VIDIOC_G_FMT32:
 	case VIDIOC_S_FMT32: