Hi Arnd, Thank you for the patch. On Mon, Jun 14, 2021 at 12:34:03PM +0200, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@xxxxxxxx> > > As seen from a recent syzbot bug report, mistakes in the compat ioctl > implementation can lead to uninitialized kernel stack data getting used > as input for driver ioctl handlers. > > The reported bug is now fixed, but it's possible that other related > bugs are still present or get added in the future. As the drivers need > to check user input already, the possible impact is fairly low, but it > might still cause an information leak. > > To be on the safe side, always clear the entire ioctl buffer before > calling the conversion handler functions that are meant to initialize > them. > > Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx> > --- > drivers/media/v4l2-core/v4l2-ioctl.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c > index 58df927aec7e..f19e56116e53 100644 > --- a/drivers/media/v4l2-core/v4l2-ioctl.c > +++ b/drivers/media/v4l2-core/v4l2-ioctl.c > @@ -3124,8 +3124,10 @@ static int video_get_user(void __user *arg, void *parg, > if (copy_from_user(parg, (void __user *)arg, n)) > err = -EFAULT; > } else if (in_compat_syscall()) { > + memset(parg, 0, n); > err = v4l2_compat_get_user(arg, parg, cmd); > } else { > + memset(parg, 0, n); This could possibly be moved with the #if block by making it cover the whole switch, but I don't think this code path will be hit when cmd isn't one of the values handled below, so it shouldn't matter. Reviewed-by: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx> > switch (cmd) { > #if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME) > case VIDIOC_QUERYBUF_TIME32: -- Regards, Laurent Pinchart