video_put_user() is copying uninitialized stack memory to userspace. Fix it by initializing `vb32` using memset().
Reported-and-tested-by: syzbot+79d751604cb6f29fb...@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=79d751604cb6f29fbf59 Signed-off-by: Peilin Ye <yepeilin...@gmail.com> --- drivers/media/v4l2-core/v4l2-ioctl.c | 32 +++++++++++++++------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index a556880f225a..08909f58dc80 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c @@ -3210,21 +3210,23 @@ static int video_put_user(void __user *arg, void *parg, unsigned int cmd) case VIDIOC_DQBUF_TIME32: case VIDIOC_PREPARE_BUF_TIME32: { struct v4l2_buffer *vb = parg; - struct v4l2_buffer_time32 vb32 = { - .index = vb->index, - .type = vb->type, - .bytesused = vb->bytesused, - .flags = vb->flags, - .field = vb->field, - .timestamp.tv_sec = vb->timestamp.tv_sec, - .timestamp.tv_usec = vb->timestamp.tv_usec, - .timecode = vb->timecode, - .sequence = vb->sequence, - .memory = vb->memory, - .m.userptr = vb->m.userptr, - .length = vb->length, - .request_fd = vb->request_fd, - }; + struct v4l2_buffer_time32 vb32; + + memset(&vb32, 0, sizeof(vb32)); + + vb32.index = vb->index; + vb32.type = vb->type; + vb32.bytesused = vb->bytesused; + vb32.flags = vb->flags; + vb32.field = vb->field; + vb32.timestamp.tv_sec = vb->timestamp.tv_sec; + vb32.timestamp.tv_usec = vb->timestamp.tv_usec; + vb32.timecode = vb->timecode; + vb32.sequence = vb->sequence; + vb32.memory = vb->memory; + vb32.m.userptr = vb->m.userptr; + vb32.length = vb->length; + vb32.request_fd = vb->request_fd; if (copy_to_user(arg, &vb32, sizeof(vb32))) return -EFAULT; -- 2.25.1
