4.9-stable patches

[thirdparty/kernel/stable-queue.git] / queue-4.9 / media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch

From f45f3f753b0a3d739acda8e311b4f744d82dc52a Mon Sep 17 00:00:00 2001
From: Hans Verkuil <hverkuil@xs4all.nl>
Date: Tue, 18 Dec 2018 08:37:08 -0500
Subject: media: v4l2-ctrls.c/uvc: zero v4l2_event

From: Hans Verkuil <hverkuil@xs4all.nl>

commit f45f3f753b0a3d739acda8e311b4f744d82dc52a upstream.

Control events can leak kernel memory since they do not fully zero the
event. The same code is present in both v4l2-ctrls.c and uvc_ctrl.c, so
fix both.

It appears that all other event code is properly zeroing the structure,
it's these two places.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: syzbot+4f021cf3697781dbd9fb@syzkaller.appspotmail.com
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/uvc/uvc_ctrl.c     |    2 +-
 drivers/media/v4l2-core/v4l2-ctrls.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1203,7 +1203,7 @@ static void uvc_ctrl_fill_event(struct u
 
        __uvc_query_v4l2_ctrl(chain, ctrl, mapping, &v4l2_ctrl);
 
-       memset(ev->reserved, 0, sizeof(ev->reserved));
+       memset(ev, 0, sizeof(*ev));
        ev->type = V4L2_EVENT_CTRL;
        ev->id = v4l2_ctrl.id;
        ev->u.ctrl.value = value;
--- a/drivers/media/v4l2-core/v4l2-ctrls.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls.c
@@ -1231,7 +1231,7 @@ static u32 user_flags(const struct v4l2_
 
 static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32 changes)
 {
-       memset(ev->reserved, 0, sizeof(ev->reserved));
+       memset(ev, 0, sizeof(*ev));
        ev->type = V4L2_EVENT_CTRL;
        ev->id = ctrl->id;
        ev->u.ctrl.changes = changes;