Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2072ed7c authored by Kees Cook's avatar Kees Cook Committed by Greg Kroah-Hartman
Browse files

media: uvcvideo: Silence memcpy() run-time false positive warnings 



[ Upstream commit b839212988575c701aab4d3d9ca15e44c87e383c ]

The memcpy() in uvc_video_decode_meta() intentionally copies across the
length and flags members and into the trailing buf flexible array.
Split the copy so that the compiler can better reason about (the lack
of) buffer overflows here. Avoid the run-time false positive warning:

  memcpy: detected field-spanning write (size 12) of single field "&meta->length" at drivers/media/usb/uvc/uvc_video.c:1355 (size 1)

Additionally fix a typo in the documentation for struct uvc_meta_buf.

Reported-by: default avatar <ionut_n2001@yahoo.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216810


Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent e2cc773f

drivers/media/usb/uvc/uvc_video.c

+3 −1
Original line number Diff line number Diff line
@@ -1308,7 +1308,9 @@ static void uvc_video_decode_meta(struct uvc_streaming *stream, 
	if (has_scr)

		memcpy(stream->clock.last_scr, scr, 6);



	memcpy(&meta->length, mem, length);

	meta->length = mem[0];

	meta->flags  = mem[1];

	memcpy(meta->buf, &mem[2], length - 2);

	meta_buf->bytesused += length + sizeof(meta->ns) + sizeof(meta->sof);



	uvc_trace(UVC_TRACE_FRAME,

include/uapi/linux/uvcvideo.h

+1 −1
Original line number Diff line number Diff line
@@ -86,7 +86,7 @@ struct uvc_xu_control_query { 
 * struct. The first two fields are added by the driver, they can be used for

 * clock synchronisation. The rest is an exact copy of a UVC payload header.

 * Only complete objects with complete buffers are included. Therefore it's

 * always sizeof(meta->ts) + sizeof(meta->sof) + meta->length bytes large.

 * always sizeof(meta->ns) + sizeof(meta->sof) + meta->length bytes large.

 */

struct uvc_meta_buf {

	__u64 ns;