media: v4l2-compat-ioctl32.c: zero buffer passed to v4l2_compat_get_array_args()

Hans Verkuil · mchehab · commit 4e768c8e34e6 · 2022-09-27T10:24:43.000+02:00
The v4l2_compat_get_array_args() function can leave uninitialized memory in the
buffer it is passed. So zero it before copying array elements from userspace
into the buffer.

Signed-off-by: Hans Verkuil &lt;hverkuil-cisco@xs4all.nl&gt;
Reported-by: syzbot+ff18193ff05f3f87f226@syzkaller.appspotmail.com
Reviewed-by: Laurent Pinchart &lt;laurent.pinchart@ideasonboard.com&gt;
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@kernel.org&gt;
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -1040,6 +1040,8 @@ int v4l2_compat_get_array_args(struct file *file, void *mbuf,
 {
 	int err = 0;
 
+	memset(mbuf, 0, array_size);
+
 	switch (cmd) {
 	case VIDIOC_G_FMT32:
 	case VIDIOC_S_FMT32:

Original file line number	Diff line number	Diff line change
`@@ -1040,6 +1040,8 @@ int v4l2_compat_get_array_args(struct file file, void mbuf,`
`1040`	`1040`	`{`
`1041`	`1041`	`int err = 0;`
`1042`	`1042`
	`1043`	`+ memset(mbuf, 0, array_size);`
	`1044`	`+`
`1043`	`1045`	`switch (cmd) {`
`1044`	`1046`	`case VIDIOC_G_FMT32:`
`1045`	`1047`	`case VIDIOC_S_FMT32:`