On Fri, Jun 18, 2021 at 12:34 PM Tetsuo Handa
<penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote:
>
> KMSAN complains that ioctl(VIDIOC_QUERYBUF_TIME32) copies uninitialized
> kernel stack memory to userspace [1], for video_usercopy() calls
> copy_to_user() even if __video_do_ioctl() returned -EINVAL error.
>
> Generally, copy_to_user() needn't be called when there was an error.
> But video_usercopy() has always_copy logic which forces copy_to_user().
> Therefore, instead of not calling copy_to_user(), explicitly initialize
> argument buffer.
>
> ----------
> /* Compile for 32bit userspace and run on 64bit kernel. */
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <fcntl.h>
> #include <sys/ioctl.h>
> #define VIDIOC_QUERYBUF_TIME32 0xc0505609
>
> int main(int argc, char *argv[])
> {
> char buf[128] = { };
>
> ioctl(open("/dev/video0", O_RDONLY), VIDIOC_QUERYBUF_TIME32, &buf);
> return 0;
> }
> ----------
>
> Link: https://syzkaller.appspot.com/bug?id=eb945b02a7b3060a8a60dab673c02f3ab20a048b [1]
> Reported-by: syzbot <syzbot+142888ffec98ab194028@xxxxxxxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
This should no longer be necessary once my recent patches propagate
into linux-next,
see https://patchwork.linuxtv.org/project/linux-media/list/?series=5678&state=*
Arnd
