Hi Edward, On 03/09/2024 04:57, Edward Adam Davis wrote: > The warning appears because the size passed to kvzalloc is larger than INT_MAX. > > Add parameter size check before calling kvzalloc in __v4l2_ctrl_modify_dimensions. I missed the original syzbot post, it ended up in my Spam folder :-( In any case, this patch doesn't address the real problem, which is that vivid was missing a check to prevent bad width and height values to be rejected. And those checks really should take place in core functionality. I've made a patch for that (you're CC-ed). Regards, Hans > > #syz test > > diff --git a/drivers/media/v4l2-core/v4l2-ctrls-api.c b/drivers/media/v4l2-core/v4l2-ctrls-api.c > index e5a364efd5e6..0b008cc94901 100644 > --- a/drivers/media/v4l2-core/v4l2-ctrls-api.c > +++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c > @@ -986,6 +986,7 @@ int __v4l2_ctrl_modify_dimensions(struct v4l2_ctrl *ctrl, > unsigned int elems = 1; > unsigned int i; > void *p_array; > + unsigned int bytes; > > lockdep_assert_held(ctrl->handler->lock); > > @@ -996,7 +997,12 @@ int __v4l2_ctrl_modify_dimensions(struct v4l2_ctrl *ctrl, > elems *= dims[i]; > if (elems == 0) > return -EINVAL; > - p_array = kvzalloc(2 * elems * ctrl->elem_size, GFP_KERNEL); > + > + bytes = 2 * elems * ctrl->elem_size; > + if (unlikely(bytes > INT_MAX)) > + return -EINVAL; > + > + p_array = kvzalloc(bytes, GFP_KERNEL); > if (!p_array) > return -ENOMEM; > kvfree(ctrl->p_array); > >
