Re: [PATCH 073/190] Revert "media: rcar_drif: fix a memory disclosure"
From: Geert Uytterhoeven
Date: Thu Apr 22 2021 - 02:57:55 EST
Hi Laurent,
On Wed, Apr 21, 2021 at 11:22 PM Laurent Pinchart
<laurent.pinchart@xxxxxxxxxxxxxxxx> wrote:
> On Wed, Apr 21, 2021 at 08:58:22PM +0200, Geert Uytterhoeven wrote:
> > On Wed, Apr 21, 2021 at 3:06 PM Greg Kroah-Hartman wrote:
> > > This reverts commit d39083234c60519724c6ed59509a2129fd2aed41.
> > >
> > > Commits from @umn.edu addresses have been found to be submitted in "bad
> > > faith" to try to test the kernel community's ability to review "known
> > > malicious" changes. The result of these submissions can be found in a
> > > paper published at the 42nd IEEE Symposium on Security and Privacy
> > > entitled, "Open Source Insecurity: Stealthily Introducing
> > > Vulnerabilities via Hypocrite Commits" written by Qiushi Wu (University
> > > of Minnesota) and Kangjie Lu (University of Minnesota).
> > >
> > > Because of this, all submissions from this group must be reverted from
> > > the kernel tree and will need to be re-reviewed again to determine if
> > > they actually are a valid fix. Until that work is complete, remove this
> > > change to ensure that no problems are being introduced into the
> > > codebase.
> > >
> > > Cc: Kangjie Lu <kjlu@xxxxxxx>
> > > Cc: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
> > > Cc: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
> > > Cc: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> >
> > Upon a second look, I still see nothing wrong with the original commit.
> > However, as I'm no v4l expert, I'd like to defer to the experts for final
> > judgement.
>
> It seems fine to me, but it also seems unneeded, as the V4L2 core clears
> the whole f->fmt union before calling this operation. The revert will
> this improve performance very slightly.
Hmm, that means very recent commit f12b81e47f48940a ("media: core
headers: fix kernel-doc warnings") is not fully correct, as it added
kerneldoc stating this is the responsibility of the driver:
+ * @reserved: drivers and applications must zero this array
Anyway, it doesn't look like this umn.edu patch introduced a bug.
> > > --- a/drivers/media/platform/rcar_drif.c
> > > +++ b/drivers/media/platform/rcar_drif.c
> > > @@ -915,7 +915,6 @@ static int rcar_drif_g_fmt_sdr_cap(struct file *file, void *priv,
> > > {
> > > struct rcar_drif_sdr *sdr = video_drvdata(file);
> > >
> > > - memset(f->fmt.sdr.reserved, 0, sizeof(f->fmt.sdr.reserved));
> > > f->fmt.sdr.pixelformat = sdr->fmt->pixelformat;
> > > f->fmt.sdr.buffersize = sdr->fmt->buffersize;
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds