Relax :-) I'll pick it up the next time I go through simple bug fix patches like this one, probably in 2-3 weeks or so. Regards, Hans On 02/09/2023 19:56, Rajeshwar Shinde wrote: > Remainder > > On Wed, 30 Aug, 2023, 1:14 pm , <coolrrsh@xxxxxxxxx <mailto:coolrrsh@xxxxxxxxx>> wrote: > > From: Rajeshwar R Shinde <coolrrsh@xxxxxxxxx <mailto:coolrrsh@xxxxxxxxx>> > > Syzkaller reported the following issue: > UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27 > shift exponent 245 is too large for 32-bit type 'int' > > When the value of the variable "sd->params.exposure.gain" exceeds the > number of bits in an integer, a shift-out-of-bounds error is reported. It > is triggered because the variable "currentexp" cannot be left-shifted by > more than the number of bits in an integer. In order to avoid invalid > range during left-shift, the conditional expression is added. > > > Reported-by: syzbot+e27f3dbdab04e43b9f73@xxxxxxxxxxxxxxxxxxxxxxxxx <mailto:syzbot%2Be27f3dbdab04e43b9f73@xxxxxxxxxxxxxxxxxxxxxxxxx> > Closes: https://lore.kernel.org/all/20230818164522.12806-1-coolrrsh@xxxxxxxxx <https://lore.kernel.org/all/20230818164522.12806-1-coolrrsh@xxxxxxxxx> > Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73 > Signed-off-by <https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73Signed-off-by>: Rajeshwar R Shinde <coolrrsh@xxxxxxxxx <mailto:coolrrsh@xxxxxxxxx>> > --- > v1->v2 > Changed the patch. Instead of avoiding shift operation for invalid > input of 'exposure.gain', throw an error for invalid range. > v2->v3 > Changed the commit message details > v3->v4 > Removed the trailing spaces in commit message > v4->v5 > Replaced the hardcoded value with inbuilt macro > --- > drivers/media/usb/gspca/cpia1.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c > index 46ed95483e22..5f5fa851ca64 100644 > --- a/drivers/media/usb/gspca/cpia1.c > +++ b/drivers/media/usb/gspca/cpia1.c > @@ -18,6 +18,7 @@ > > #include <linux/input.h> > #include <linux/sched/signal.h> > +#include <linux/bitops.h> > > #include "gspca.h" > > @@ -1028,6 +1029,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply) > sd->params.exposure.expMode = 2; > sd->exposure_status = EXPOSURE_NORMAL; > } > + if (sd->params.exposure.gain >= BITS_PER_TYPE(currentexp)) > + return -EINVAL; > currentexp = currentexp << sd->params.exposure.gain; > sd->params.exposure.gain = 0; > /* round down current exposure to nearest value */ > -- > 2.25.1 >
