Re: [syzbot] [media?] WARNING in __v4l2_ctrl_modify_dimensions
From: Hans Verkuil
Date: Tue Sep 03 2024 - 06:24:45 EST
Hi Edward,
On 03/09/2024 04:57, Edward Adam Davis wrote:
> The warning appears because the size passed to kvzalloc is larger than INT_MAX.
>
> Add parameter size check before calling kvzalloc in __v4l2_ctrl_modify_dimensions.
I missed the original syzbot post, it ended up in my Spam folder :-(
In any case, this patch doesn't address the real problem, which is that vivid
was missing a check to prevent bad width and height values to be rejected. And
those checks really should take place in core functionality.
I've made a patch for that (you're CC-ed).
Regards,
Hans
>
> #syz test
>
> diff --git a/drivers/media/v4l2-core/v4l2-ctrls-api.c b/drivers/media/v4l2-core/v4l2-ctrls-api.c
> index e5a364efd5e6..0b008cc94901 100644
> --- a/drivers/media/v4l2-core/v4l2-ctrls-api.c
> +++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c
> @@ -986,6 +986,7 @@ int __v4l2_ctrl_modify_dimensions(struct v4l2_ctrl *ctrl,
> unsigned int elems = 1;
> unsigned int i;
> void *p_array;
> + unsigned int bytes;
>
> lockdep_assert_held(ctrl->handler->lock);
>
> @@ -996,7 +997,12 @@ int __v4l2_ctrl_modify_dimensions(struct v4l2_ctrl *ctrl,
> elems *= dims[i];
> if (elems == 0)
> return -EINVAL;
> - p_array = kvzalloc(2 * elems * ctrl->elem_size, GFP_KERNEL);
> +
> + bytes = 2 * elems * ctrl->elem_size;
> + if (unlikely(bytes > INT_MAX))
> + return -EINVAL;
> +
> + p_array = kvzalloc(bytes, GFP_KERNEL);
> if (!p_array)
> return -ENOMEM;
> kvfree(ctrl->p_array);
>
>