summaryrefslogtreecommitdiff
path: root/drivers/media/usb/gspca/cpia1.c
diff options
context:
space:
mode:
authorRajeshwar R Shinde <coolrrsh@gmail.com>2023-08-30 10:44:01 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2023-11-28 19:45:44 +0300
commit69bba62600bd91d6b7c1e8ca181faf8ac64f7060 (patch)
treee4c7621812afba17d9ba4a7a967edf8804fb2d04 /drivers/media/usb/gspca/cpia1.c
parent807828f053f251c65452614a5bd47cd6eae67baf (diff)
downloadlinux-69bba62600bd91d6b7c1e8ca181faf8ac64f7060.tar.xz
media: gspca: cpia1: shift-out-of-bounds in set_flicker
[ Upstream commit 099be1822d1f095433f4b08af9cc9d6308ec1953 ] Syzkaller reported the following issue: UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27 shift exponent 245 is too large for 32-bit type 'int' When the value of the variable "sd->params.exposure.gain" exceeds the number of bits in an integer, a shift-out-of-bounds error is reported. It is triggered because the variable "currentexp" cannot be left-shifted by more than the number of bits in an integer. In order to avoid invalid range during left-shift, the conditional expression is added. Reported-by: syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/20230818164522.12806-1-coolrrsh@gmail.com Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73 Signed-off-by: Rajeshwar R Shinde <coolrrsh@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/media/usb/gspca/cpia1.c')
-rw-r--r--drivers/media/usb/gspca/cpia1.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c
index e91d00762e94..bf34479a87cc 100644
--- a/drivers/media/usb/gspca/cpia1.c
+++ b/drivers/media/usb/gspca/cpia1.c
@@ -28,6 +28,7 @@
#include <linux/input.h>
#include <linux/sched/signal.h>
+#include <linux/bitops.h>
#include "gspca.h"
@@ -1032,6 +1033,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply)
sd->params.exposure.expMode = 2;
sd->exposure_status = EXPOSURE_NORMAL;
}
+ if (sd->params.exposure.gain >= BITS_PER_TYPE(currentexp))
+ return -EINVAL;
currentexp = currentexp << sd->params.exposure.gain;
sd->params.exposure.gain = 0;
/* round down current exposure to nearest value */