media: v4l2-compat-ioctl32.c: zero buffer passed to v4l2_compat_get_array_args()

The v4l2_compat_get_array_args() function can leave uninitialized memory in the buffer it is passed. So zero it before copying array elements from userspace into the buffer. Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Reported-by: syzbot+ff18193ff05f3f87f226@syzkaller.appspotmail.com Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
author: Hans Verkuil <hverkuil-cisco@xs4all.nl> 2022-03-21 11:33:56 +0300
committer: Mauro Carvalho Chehab <mchehab@kernel.org> 2022-09-27 11:24:43 +0300
commit: 4e768c8e34e639cff66a0f175bc4aebf472e4305 (patch)
tree: 10fc6a9eaeb1bfe9a68756398eec46ca3c1ebac3 /drivers/media
parent: 150f7b11cb59670a147e88580a604ce3c6845a88 (diff)
download: linux-4e768c8e34e639cff66a0f175bc4aebf472e4305.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index 0f3d6b5667b0..55c26e7d370e 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -1040,6 +1040,8 @@ int v4l2_compat_get_array_args(struct file *file, void *mbuf,
 {
 	int err = 0;
 
+	memset(mbuf, 0, array_size);
+
 	switch (cmd) {
 	case VIDIOC_G_FMT32:
 	case VIDIOC_S_FMT32:
author	Hans Verkuil <hverkuil-cisco@xs4all.nl>	2022-03-21 11:33:56 +0300
committer	Mauro Carvalho Chehab <mchehab@kernel.org>	2022-09-27 11:24:43 +0300
commit	4e768c8e34e639cff66a0f175bc4aebf472e4305 (patch)
tree	10fc6a9eaeb1bfe9a68756398eec46ca3c1ebac3 /drivers/media
parent	150f7b11cb59670a147e88580a604ce3c6845a88 (diff)
download	linux-4e768c8e34e639cff66a0f175bc4aebf472e4305.tar.xz