[PATCH] drm, video: fix use-before-NULL-check

Fix potential crashes due to use-before-NULL situations. Signed-off-by: Kees Cook kees.c...@canonical.com --- drivers/gpu/drm/drm_fb_helper.c |3 ++- drivers/media/video/em28xx/em28xx-video.c |3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm

[PATCH] video: fix potential use-before-NULL-check crash

Moves use to after NULL-check. Signed-off-by: Kees Cook kees.c...@canonical.com --- Sent before as part of https://patchwork.kernel.org/patch/138711/ but it still hasn't been applied. --- drivers/media/video/em28xx/em28xx-video.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions

[PATCH] dvb: fix potential format string leak

Make sure that a format string cannot accidentally leak into the printk buffer. Signed-off-by: Kees Cook keesc...@chromium.org --- drivers/media/dvb-frontends/dib9000.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/dvb-frontends/dib9000.c b/drivers/media

[PATCH] doc: no singing

Stop that, stop that! You're not going to do a song while I'm here. Signed-off-by: Kees Cook keesc...@chromium.org --- https://lkml.org/lkml/2013/12/4/786 http://www.youtube.com/watch?v=g3YiPC91QUk#t=62 --- Documentation/cgroups/resource_counter.txt |2 +- Documentation/video4linux

[PATCH] media: rc-core: use %s in rc_map_get() module load

rc_map_get() takes a single string literal for the module to load, so make sure it cannot be used as a format string in the call to request_module(). Signed-off-by: Kees Cook keesc...@chromium.org --- On another security note, this raw request_module() call should have some kind of prefix

Re: [PATCH 1/1] media: dib9000: avoid out of bound access

, OUT_MSG_BRIDGE_APB_W, mb, 1 + len / 2, attribute); -- 2.0.0 -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/1] media: dib9000: avoid out of bound access

On Wed, Jun 18, 2014 at 6:41 PM, Heinrich Schuchardt xypron.g...@gmx.de wrote: On 19.06.2014 01:50, Kees Cook wrote: On Wed, Jun 18, 2014 at 3:02 PM, Heinrich Schuchardt xypron.g...@gmx.de wrote: The current test to avoid out of bound access to mb[] is insufficient. For len = 19 non

Re: [PATCH 1/1 v2] media: dib9000: avoid out of bound access

, IN_MSG_END_BRIDGE_APB_RW, mb, s, attribute) == 1 ? 0 : -EINVAL; } -- 2.0.0 That looks great, thanks! Reviewed-by: Kees Cook keesc...@chromium.org -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord

[PATCH] [media] af9035: make sure loading modules is const

Make sure that loaded modules are const char strings so we don't load arbitrary modules in the future, nor allow for format string leaks in the module request call. Signed-off-by: Kees Cook keesc...@chromium.org --- drivers/media/usb/dvb-usb-v2/af9035.c | 6 +++--- 1 file changed, 3 insertions

[PATCH] [media] anysee: make sure loading modules is const

Make sure that loaded modules are const char strings so we don't load arbitrary modules in the future, nor allow for format string leaks in the module request call. Signed-off-by: Kees Cook keesc...@chromium.org --- drivers/media/usb/dvb-usb-v2/anysee.c | 6 +++--- 1 file changed, 3 insertions

Re: [PATCH 0435/1285] Replace numeric parameter like 0444 with macro

0644); > +module_param(debug, int, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); > MODULE_PARM_DESC(debug, "Debug level (0-2)"); > > struct tvp5150 { > -- > 2.9.2 > -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe from this list: send the line "u

Re: [PATCH 1/1] subsystem:linux-media CVE-2016-5400

[fixing Mauro's email...] On Fri, Jul 15, 2016 at 11:52 AM, Kees Cook <keesc...@google.com> wrote: > On Fri, Jul 15, 2016 at 8:40 AM, James Patrick-Evans <ja...@jmp-e.com> wrote: >> This patch addresses CVE-2016-5400, a local DOS vulnerability caused by a >> memory le

Re: [PATCH 1/1] subsystem:linux-media CVE-2016-5400

rent 4.7. > The memory leak is caused by the probe function of the airspy driver > mishandeling errors and not freeing the corresponding control structures > when an error occours registering the device to v4l2 core. Thanks for getting this fixed! > Signed-off-by: James Patrick-Evans &l

Re: [PATCH] solo6x10: use designated initializers

On Mon, Dec 19, 2016 at 11:56 AM, Andrey Utkin <andrey.ut...@corp.bluecherry.net> wrote: > On Fri, Dec 16, 2016 at 05:05:36PM -0800, Kees Cook wrote: >> Prepare to mark sensitive kernel structures for randomization by making >> sure they're using designated initializers.

[PATCH] mtk-vcodec: use designated initializers

Prepare to mark sensitive kernel structures for randomization by making sure they're using designated initializers. These were identified during allyesconfig builds of x86, arm, and arm64, with most initializer fixes extracted from grsecurity. Signed-off-by: Kees Cook <keesc...@chromium.

[PATCH] solo6x10: use designated initializers

Prepare to mark sensitive kernel structures for randomization by making sure they're using designated initializers. These were identified during allyesconfig builds of x86, arm, and arm64, with most initializer fixes extracted from grsecurity. Signed-off-by: Kees Cook <keesc...@chromium.

[PATCH v2 17/31] media/i2c/tc358743: Initialize timer

linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/i2c/tc358743.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c index e6f5c363ccab..07ad6a3ff1ec 100644 --- a/drivers/me

[PATCH] media: saa7134: Convert timers to use timer_setup()

gt; Cc: Sean Young <s...@mess.org> Cc: Geliang Tang <geliangt...@gmail.com> Cc: Hans Verkuil <hans.verk...@cisco.com> Cc: linux-media@vger.kernel.org Cc: Thomas Gleixner <t...@linutronix.de> Signed-off-by: Kees Cook <keesc...@chromium.org> --- This requires commit 686

[PATCH] media/saa7146: Convert timers to use timer_setup()

this in the future. Cc: Hans Verkuil <hverk...@xs4all.nl> Cc: Mauro Carvalho Chehab <mche...@kernel.org> Cc: linux-media@vger.kernel.org Cc: Thomas Gleixner <t...@linutronix.de> Signed-off-by: Kees Cook <keesc...@chromium.org> --- This requires commit 686fef928bba ("timer: Pre

[PATCH] media: saa7146: Convert timers to use timer_setup()

linux-media@vger.kernel.org Cc: Thomas Gleixner <t...@linutronix.de> Signed-off-by: Kees Cook <keesc...@chromium.org> --- This requires commit 686fef928bba ("timer: Prepare to change timer callback argument type") in v4.14-rc3, but should be otherwise stand-alone. --- drivers/media/

[PATCH] media: serial_ir: Convert timers to use timer_setup()

linux-media@vger.kernel.org Cc: Thomas Gleixner <t...@linutronix.de> Signed-off-by: Kees Cook <keesc...@chromium.org> --- This requires commit 686fef928bba ("timer: Prepare to change timer callback argument type") in v4.14-rc3, but should be otherwise stand-alone. --- drivers/media/rc/ser

[PATCH] input: Convert timers to use timer_setup()

i Ailus <sakari.ai...@linux.intel.com> Cc: Geliang Tang <geliangt...@gmail.com> Cc: linux-in...@vger.kernel.org Cc: linux-media@vger.kernel.org Cc: Thomas Gleixner <t...@linutronix.de> Signed-off-by: Kees Cook <keesc...@chromium.org> --- This requires commit 686fef928bba ("t

[PATCH] staging/atomisp: Convert timers to use timer_setup()

gt; Cc: Alan Cox <a...@linux.intel.com> Cc: Daeseok Youn <daeseok.y...@gmail.com> Cc: Arnd Bergmann <a...@arndb.de> Cc: linux-media@vger.kernel.org Cc: de...@driverdev.osuosl.org Cc: Thomas Gleixner <t...@linutronix.de> Signed-off-by: Kees Cook <keesc...@chromium.org

Re: [PATCH] staging/atomisp: Convert timers to use timer_setup()

On Tue, Oct 17, 2017 at 1:23 AM, Sakari Ailus <sakari.ai...@iki.fi> wrote: > On Mon, Oct 16, 2017 at 04:24:56PM -0700, Kees Cook wrote: >> In preparation for unconditionally passing the struct timer_list pointer to >> all timer callbacks, switch to using the new timer_s

[PATCH] media/saa7146: Convert timers to use timer_setup()

this in the future. Cc: Hans Verkuil <hverk...@xs4all.nl> Cc: Mauro Carvalho Chehab <mche...@kernel.org> Cc: linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/common/saa7146/saa7146_fops.c | 2 +- drivers/media/common/saa7146/saa7146_vbi.c | 9

[PATCH] media: tvaudio: Convert timers to use timer_setup()

In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. Cc: Mauro Carvalho Chehab <mche...@kernel.org> Cc: linux-media@vger.kernel.org Signed-off-by: Kee

[PATCH] media: input: Convert timers to use timer_setup()

i Ailus <sakari.ai...@linux.intel.com> Cc: Geliang Tang <geliangt...@gmail.com> Cc: linux-in...@vger.kernel.org Cc: linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> Acked-by: Pali Rohár <pali.ro...@gmail.com> --- drivers/input/input.c

[PATCH] media: dvb-core: Convert timers to use timer_setup()

l.com> Cc: linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/dvb-core/dmxdev.c | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c index 18e4230865be..3

[PATCH] media: saa7134: Convert timers to use timer_setup()

gt; Cc: Sean Young <s...@mess.org> Cc: Geliang Tang <geliangt...@gmail.com> Cc: Hans Verkuil <hans.verk...@cisco.com> Cc: linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/pci/saa7134/saa7134-core.c | 6 +++--- drivers/m

[PATCH] media: saa7146: Convert timers to use timer_setup()

linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/common/saa7146/saa7146_fops.c | 4 ++-- drivers/media/common/saa7146/saa7146_vbi.c | 3 +-- drivers/media/common/saa7146/saa7146_video.c | 3 +-- include/media/drv-intf/saa7146_vv.h | 2 +-

[PATCH] media: tc358743: Convert timers to use timer_setup()

linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/i2c/tc358743.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c index a9355032076f..359f63d7dfca 100644 --- a

[PATCH] media: serial_ir: Convert timers to use timer_setup()

linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/rc/serial_ir.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/media/rc/serial_ir.c b/drivers/media/rc/serial_ir.c index 8b66926bc16a..8bf5637b3a69 100644 --- a/drivers/media/rc

[PATCH] staging/atomisp: Convert timers to use timer_setup()

gt; Cc: Alan Cox <a...@linux.intel.com> Cc: Daeseok Youn <daeseok.y...@gmail.com> Cc: Arnd Bergmann <a...@arndb.de> Cc: linux-media@vger.kernel.org Cc: de...@driverdev.osuosl.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/staging/media/atom

[PATCH 17/31] media/i2c/tc358743: Initialize timer

linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/i2c/tc358743.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c index 5788af238b86..94e722e0f4e0 100644 --- a/drivers/me

[PATCH] staging: atomisp: i2c: Convert timers to use timer_setup()

In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/staging/media/atomisp/i2c/lm3554

Re: [PATCH v2] media: ttpci: remove autorepeat handling and use timer_setup

nput_dev = input_allocate_device(); > if (!input_dev) > @@ -365,8 +344,13 @@ int av7110_ir_init(struct av7110 *av7110) > input_free_device(input_dev); > return err; > } > - input_dev->timer.function = input_repeat_key; > - input_dev->timer.data = (unsigned long) >ir; > + > + /* > +* Input core's default autorepeat is 33 cps with 250 msec > +* delay, let's adjust to numbers more suitable for remote > +* control. > +*/ > + input_enable_softrepeat(input_dev, 250, 125); > > if (av_cnt == 1) { > e = proc_create("av7110_ir", S_IWUSR, NULL, > _ir_proc_fops); > -- > 2.13.6 > -- Kees Cook Pixel Security

Re: [PATCH v2] media: ttpci: remove autorepeat handling and use timer_setup

; On Thu, Nov 02, 2017 at 04:24:27PM -0700, Kees Cook wrote: >> > > On Tue, Oct 31, 2017 at 1:11 PM, Sean Young <s...@mess.org> wrote: >> > > > Leave the autorepeat handling up to the input layer, and move >> > > > to the new timer API. >>

Re: [PATCH] media: pvrusb2: Convert timers to use timer_setup()

Eek, sorry, this uses timer_setup_on_stack() which is only in -next. If you can Ack this, I can carry it in the timer tree. Thanks! -Kees On Tue, Oct 24, 2017 at 5:22 PM, Kees Cook <keesc...@chromium.org> wrote: > In preparation for unconditionally passing the struct timer_list pointer

[PATCH] media: pci: Convert timers to use timer_setup()

oung <s...@mess.org> Cc: Sakari Ailus <sakari.ai...@linux.intel.com> Cc: "Pali Rohár" <pali.ro...@gmail.com> Cc: linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/pci/bt8xx/bttv-driver.c | 6 +++--- drivers/media/pci/

Re: [PATCH] media: input: Convert timers to use timer_setup()

On Thu, Oct 19, 2017 at 3:48 PM, Dmitry Torokhov <dmitry.torok...@gmail.com> wrote: > On Thu, Oct 19, 2017 at 03:45:38PM -0700, Kees Cook wrote: >> On Thu, Oct 19, 2017 at 3:32 PM, Dmitry Torokhov >> <dmitry.torok...@gmail.com> wrote: >> > On Mon, Oct 16, 2017

[PATCH] media: s2255: Convert timers to use timer_setup()

d.com> Cc: Sakari Ailus <sakari.ai...@linux.intel.com> Cc: Bhumika Goyal <bhumi...@gmail.com> Cc: Mike Isely <is...@pobox.com> Cc: Arvind Yadav <arvind.yadav...@gmail.com> Cc: linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers

[PATCH] media: radio: Convert timers to use timer_setup()

t;David S. Miller" <da...@davemloft.net> Cc: Johannes Berg <johannes.b...@intel.com> Cc: linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/radio/radio-cadet.c | 7 +++ drivers/media/radio/wl128x/fmdrv_common.c | 7 +++-

[PATCH] media: pvrusb2: Convert timers to use timer_setup()

linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 64 ++--- 1 file changed, 36 insertions(+), 28 deletions(-) diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/p

[PATCH] media: rc: Convert timers to use timer_setup()

hyti <andi.sh...@samsung.com> Cc: linux-media@vger.kernel.org Signed-off-by: Kees Cook <keesc...@chromium.org> --- drivers/media/rc/ene_ir.c | 7 +++ drivers/media/rc/igorplugusb.c| 6 +++--- drivers/media/rc/img-ir/img-ir-hw.c | 13 ++--- drivers/media

Re: [PATCH] media: av7110: switch to useing timer_setup()

autorepeat > delay and forcing autorepeat period to be whatever the hardware has. > > Signed-off-by: Dmitry Torokhov <dmitry.torok...@gmail.com> Reviewed-by: Kees Cook <keesc...@chromium.org> (with the Subject typo fixed) Hans, since this depends on the input side not changin

Re: [PATCH] media: media-device: fix ioctl function types

> Thanks for sending these! Reviewed-by: Kees Cook <keesc...@chromium.org> -Kees > --- > drivers/media/media-device.c | 21 +++-- > 1 file changed, 11 insertions(+), 10 deletions(-) > > diff --git a/drivers/media/media-device.c b/drivers/media/media-devic

Re: [PATCH] media: v4l2-ioctl: fix function types for IOCTL_INFO_STD

actual function. > > Signed-off-by: Sami Tolvanen <samitolva...@google.com> I think this actually makes things much more readable in the end. Thanks! Reviewed-by: Kees Cook <keesc...@chromium.org> -Kees > --- > drivers/media/v4l2-core/v4l2-ioctl.c | 72 ++

Re: [PATCH] media: input: Convert timers to use timer_setup()

On Thu, Oct 19, 2017 at 3:32 PM, Dmitry Torokhov <dmitry.torok...@gmail.com> wrote: > On Mon, Oct 16, 2017 at 04:14:43PM -0700, Kees Cook wrote: >> In preparation for unconditionally passing the struct timer_list pointer to >> all timer callbacks, switch to usin

Re: [PATCH 3/3] media: replace strncpy() by strscpy()

ng NUL-padding to clear a buffer of prior contents. How did you validate that for these changes? -Kees -- Kees Cook Pixel Security

Re: [PATCH 1/3] media: use strscpy() instead of strlcpy()

e meaning between strlcpy() and strscpy() differs). Reviewed-by: Kees Cook -Kees -- Kees Cook Pixel Security

Re: [PATCH 2/3] media: replace strcpy() by strscpy()

r *ptr; } strscpy(instance->buffer, source, sizeof(instance->buffer)); is correct. But: strscpy(instance->ptr, source, sizeof(instance->ptr)); will not be and will truncate strings to sizeof(char *). If you _did_ verify this, I'd love to know more about your tooling. :) -Kees -

Re: [PATCH 3/3] media: replace strncpy() by strscpy()

On Mon, Sep 10, 2018 at 11:34 AM, Mauro Carvalho Chehab wrote: > Em Mon, 10 Sep 2018 09:18:05 -0700 > Kees Cook escreveu: > >> On Mon, Sep 10, 2018 at 5:19 AM, Mauro Carvalho Chehab >> wrote: >> > The strncpy() function is being deprecated upstream. Replac

Re: [PATCH][RFC] kernel.h: provide array iterator

[0]) + > __must_be_array(arr)) > > +/** > + * for_each_array_element - Iterate all items in an array > + * @elem: pointer of array type for iteration cursor > + * @array: array to be iterated > + */ > +#define for_each_array_element(elem, array) \ > + for (elem = &(array)[0]; \ > +elem < &(array)[ARRAY_SIZE(array)]; \ > +++elem) > + > #define u64_to_user_ptr(x) ( \ > { \ > typecheck(u64, x); \ > -- > 2.7.4 > -- Kees Cook Pixel Security