From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 25 Mar 2019 20:34:49 +0000 (+0900)
Subject: 3.18-stable patches
X-Git-Tag: v4.9.166~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c22c3709b4fed6c28de4885f106af2cfacb09019;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch
---

diff --git a/queue-3.18/media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch b/queue-3.18/media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch
new file mode 100644
index 00000000000..cb13dc8d66f
--- /dev/null
+++ b/queue-3.18/media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch
@@ -0,0 +1,49 @@
+From f45f3f753b0a3d739acda8e311b4f744d82dc52a Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Tue, 18 Dec 2018 08:37:08 -0500
+Subject: media: v4l2-ctrls.c/uvc: zero v4l2_event
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit f45f3f753b0a3d739acda8e311b4f744d82dc52a upstream.
+
+Control events can leak kernel memory since they do not fully zero the
+event. The same code is present in both v4l2-ctrls.c and uvc_ctrl.c, so
+fix both.
+
+It appears that all other event code is properly zeroing the structure,
+it's these two places.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+4f021cf3697781dbd9fb@syzkaller.appspotmail.com
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/uvc/uvc_ctrl.c     |    2 +-
+ drivers/media/v4l2-core/v4l2-ctrls.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1202,7 +1202,7 @@ static void uvc_ctrl_fill_event(struct u
+ 
+ 	__uvc_query_v4l2_ctrl(chain, ctrl, mapping, &v4l2_ctrl);
+ 
+-	memset(ev->reserved, 0, sizeof(ev->reserved));
++	memset(ev, 0, sizeof(*ev));
+ 	ev->type = V4L2_EVENT_CTRL;
+ 	ev->id = v4l2_ctrl.id;
+ 	ev->u.ctrl.value = value;
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -1208,7 +1208,7 @@ static u32 user_flags(const struct v4l2_
+ 
+ static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32 changes)
+ {
+-	memset(ev->reserved, 0, sizeof(ev->reserved));
++	memset(ev, 0, sizeof(*ev));
+ 	ev->type = V4L2_EVENT_CTRL;
+ 	ev->id = ctrl->id;
+ 	ev->u.ctrl.changes = changes;
diff --git a/queue-3.18/series b/queue-3.18/series
index 6e649ae5642..99b63a748a7 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -4,3 +4,4 @@ ext4-fix-null-pointer-dereference-while-journal-is-aborted.patch
 ext4-fix-data-corruption-caused-by-unaligned-direct-aio.patch
 ext4-brelse-all-indirect-buffer-in-ext4_ind_remove_space.patch
 mmc-tmio_mmc_core-don-t-claim-spurious-interrupts.patch
+media-v4l2-ctrls.c-uvc-zero-v4l2_event.patch