Skip to content
Commit 4843a543 authored by Hans Verkuil's avatar Hans Verkuil Committed by Mauro Carvalho Chehab
Browse files

media: gspca: zero usb_buf on error 

If reg_r() fails, then gspca_dev->usb_buf was left uninitialized,
and some drivers used the contents of that buffer in logic.

This caused several syzbot errors:

https://syzkaller.appspot.com/bug?extid=397fd082ce5143e2f67d
https://syzkaller.appspot.com/bug?extid=1a35278dd0ebfb3a038a
https://syzkaller.appspot.com/bug?extid=06ddf1788cfd048c5e82



I analyzed the gspca drivers and zeroed the buffer where needed.

Reported-and-tested-by: default avatar <syzbot+1a35278dd0ebfb3a038a@syzkaller.appspotmail.com>
Reported-and-tested-by: default avatar <syzbot+397fd082ce5143e2f67d@syzkaller.appspotmail.com>
Reported-and-tested-by: default avatar <syzbot+06ddf1788cfd048c5e82@syzkaller.appspotmail.com>

Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
parent 2509d725
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment