Hello Satendra Singh Thakur,
The patch 57868acc369a: "media: videobuf2: Add new uAPI for DVB
streaming I/O" from Dec 18, 2017, leads to the following static
checker warnings:
drivers/media/common/videobuf2/videobuf2-core.c:645 vb2_core_querybuf()
error: buffer overflow 'q->bufs' 32 <= u32max user_rl='0-u32max' uncapped
drivers/media/common/videobuf2/videobuf2-core.c:1583 vb2_core_qbuf()
error: buffer overflow 'q->bufs' 32 <= u32max user_rl='0-u32max' uncapped
drivers/media/common/videobuf2/videobuf2-core.c
643 void vb2_core_querybuf(struct vb2_queue *q, unsigned int index, void *pb)
644 {
645 call_void_bufop(q, fill_user_buffer, q->bufs[index], pb);
^^^^^
index has not been checked at all.
646 }
647 EXPORT_SYMBOL_GPL(vb2_core_querybuf);
I've been re-working how Smatch parses v4l input validation. Mostly
my approach has been to say that if a function is called from the
v4l2_subdev_call() then it has been validated. But there a couple
warnings which remain.
In thise case vb2_core_querybuf() is called from two functions.
The vb2_querybuf() function does input validation but the
dvb_vb2_querybuf() function does not. The callers are
dvb_demux_do_ioctl() and dvb_dvr_do_ioctl() so "index" comes from the
user via the ioctl.
Please let me know if I have misread the code so I can silence this
warning in Smatch.
regards,
dan carpenter
