From: Rajeshwar R Shinde <coolrrsh@xxxxxxxxx> Syzkaller reported the following issue: UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27 shift exponent 245 is too large for 32-bit type 'int' When the value of the variable "sd->params.exposure.gain" exceeds the number of bits in an int, a shift-out-of-bounds error occurs. The error is generated when the variable "currentexp" is left-shifted by more than 31 bits. In order to confirm the range is valid, the conditional expression was added. Reported-by: syzbot+e27f3dbdab04e43b9f73@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://lore.kernel.org/all/20230818164522.12806-1-coolrrsh@xxxxxxxxx Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73 Signed-off-by: Rajeshwar R Shinde <coolrrsh@xxxxxxxxx> --- v1->v2 Changed the patch. Instead of avoiding shift operation for invalid input of 'exposure.gain', throw an error for invalid range. v2->v3 Changed the commit message details v3->v4 Removed the trailing spaces in commit message --- drivers/media/usb/gspca/cpia1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c index 46ed95483e22..dafc522d5e7b 100644 --- a/drivers/media/usb/gspca/cpia1.c +++ b/drivers/media/usb/gspca/cpia1.c @@ -1028,6 +1028,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply) sd->params.exposure.expMode = 2; sd->exposure_status = EXPOSURE_NORMAL; } + if (sd->params.exposure.gain > 31) + return -EINVAL; currentexp = currentexp << sd->params.exposure.gain; sd->params.exposure.gain = 0; /* round down current exposure to nearest value */ -- 2.25.1