Fix potential crashes due to use-before-NULL situations.
Signed-off-by: Kees Cook kees.c...@canonical.com
---
drivers/gpu/drm/drm_fb_helper.c |3 ++-
drivers/media/video/em28xx/em28xx-video.c |3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm
Moves use to after NULL-check.
Signed-off-by: Kees Cook kees.c...@canonical.com
---
Sent before as part of https://patchwork.kernel.org/patch/138711/ but it
still hasn't been applied.
---
drivers/media/video/em28xx/em28xx-video.c |3 ++-
1 files changed, 2 insertions(+), 1 deletions
Make sure that a format string cannot accidentally leak into the printk
buffer.
Signed-off-by: Kees Cook keesc...@chromium.org
---
drivers/media/dvb-frontends/dib9000.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/dvb-frontends/dib9000.c
b/drivers/media
Stop that, stop that! You're not going to do a song while I'm here.
Signed-off-by: Kees Cook keesc...@chromium.org
---
https://lkml.org/lkml/2013/12/4/786
http://www.youtube.com/watch?v=g3YiPC91QUk#t=62
---
Documentation/cgroups/resource_counter.txt |2 +-
Documentation/video4linux
rc_map_get() takes a single string literal for the module to load,
so make sure it cannot be used as a format string in the call to
request_module().
Signed-off-by: Kees Cook keesc...@chromium.org
---
On another security note, this raw request_module() call should have
some kind of prefix
, OUT_MSG_BRIDGE_APB_W, mb, 1 + len / 2,
attribute);
--
2.0.0
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line unsubscribe linux-media in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Jun 18, 2014 at 6:41 PM, Heinrich Schuchardt xypron.g...@gmx.de wrote:
On 19.06.2014 01:50, Kees Cook wrote:
On Wed, Jun 18, 2014 at 3:02 PM, Heinrich Schuchardt xypron.g...@gmx.de
wrote:
The current test to avoid out of bound access to mb[] is insufficient.
For len = 19 non
, IN_MSG_END_BRIDGE_APB_RW,
mb, s, attribute) == 1 ? 0 : -EINVAL;
}
--
2.0.0
That looks great, thanks!
Reviewed-by: Kees Cook keesc...@chromium.org
-Kees
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line unsubscribe linux-media in
the body of a message to majord
Make sure that loaded modules are const char strings so we don't
load arbitrary modules in the future, nor allow for format string
leaks in the module request call.
Signed-off-by: Kees Cook keesc...@chromium.org
---
drivers/media/usb/dvb-usb-v2/af9035.c | 6 +++---
1 file changed, 3 insertions
Make sure that loaded modules are const char strings so we don't
load arbitrary modules in the future, nor allow for format string
leaks in the module request call.
Signed-off-by: Kees Cook keesc...@chromium.org
---
drivers/media/usb/dvb-usb-v2/anysee.c | 6 +++---
1 file changed, 3 insertions
0644);
> +module_param(debug, int, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
> MODULE_PARM_DESC(debug, "Debug level (0-2)");
>
> struct tvp5150 {
> --
> 2.9.2
>
--
Kees Cook
Chrome OS & Brillo Security
--
To unsubscribe from this list: send the line "u
[fixing Mauro's email...]
On Fri, Jul 15, 2016 at 11:52 AM, Kees Cook <keesc...@google.com> wrote:
> On Fri, Jul 15, 2016 at 8:40 AM, James Patrick-Evans <ja...@jmp-e.com> wrote:
>> This patch addresses CVE-2016-5400, a local DOS vulnerability caused by a
>> memory le
rent 4.7.
> The memory leak is caused by the probe function of the airspy driver
> mishandeling errors and not freeing the corresponding control structures
> when an error occours registering the device to v4l2 core.
Thanks for getting this fixed!
> Signed-off-by: James Patrick-Evans &l
On Mon, Dec 19, 2016 at 11:56 AM, Andrey Utkin
<andrey.ut...@corp.bluecherry.net> wrote:
> On Fri, Dec 16, 2016 at 05:05:36PM -0800, Kees Cook wrote:
>> Prepare to mark sensitive kernel structures for randomization by making
>> sure they're using designated initializers.
Prepare to mark sensitive kernel structures for randomization by making
sure they're using designated initializers. These were identified during
allyesconfig builds of x86, arm, and arm64, with most initializer fixes
extracted from grsecurity.
Signed-off-by: Kees Cook <keesc...@chromium.
Prepare to mark sensitive kernel structures for randomization by making
sure they're using designated initializers. These were identified during
allyesconfig builds of x86, arm, and arm64, with most initializer fixes
extracted from grsecurity.
Signed-off-by: Kees Cook <keesc...@chromium.
linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/i2c/tc358743.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index e6f5c363ccab..07ad6a3ff1ec 100644
--- a/drivers/me
gt;
Cc: Sean Young <s...@mess.org>
Cc: Geliang Tang <geliangt...@gmail.com>
Cc: Hans Verkuil <hans.verk...@cisco.com>
Cc: linux-media@vger.kernel.org
Cc: Thomas Gleixner <t...@linutronix.de>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
This requires commit 686
this in the
future.
Cc: Hans Verkuil <hverk...@xs4all.nl>
Cc: Mauro Carvalho Chehab <mche...@kernel.org>
Cc: linux-media@vger.kernel.org
Cc: Thomas Gleixner <t...@linutronix.de>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
This requires commit 686fef928bba ("timer: Pre
linux-media@vger.kernel.org
Cc: Thomas Gleixner <t...@linutronix.de>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
This requires commit 686fef928bba ("timer: Prepare to change timer
callback argument type") in v4.14-rc3, but should be otherwise
stand-alone.
---
drivers/media/
linux-media@vger.kernel.org
Cc: Thomas Gleixner <t...@linutronix.de>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
This requires commit 686fef928bba ("timer: Prepare to change timer
callback argument type") in v4.14-rc3, but should be otherwise
stand-alone.
---
drivers/media/rc/ser
i Ailus <sakari.ai...@linux.intel.com>
Cc: Geliang Tang <geliangt...@gmail.com>
Cc: linux-in...@vger.kernel.org
Cc: linux-media@vger.kernel.org
Cc: Thomas Gleixner <t...@linutronix.de>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
This requires commit 686fef928bba ("t
gt;
Cc: Alan Cox <a...@linux.intel.com>
Cc: Daeseok Youn <daeseok.y...@gmail.com>
Cc: Arnd Bergmann <a...@arndb.de>
Cc: linux-media@vger.kernel.org
Cc: de...@driverdev.osuosl.org
Cc: Thomas Gleixner <t...@linutronix.de>
Signed-off-by: Kees Cook <keesc...@chromium.org
On Tue, Oct 17, 2017 at 1:23 AM, Sakari Ailus <sakari.ai...@iki.fi> wrote:
> On Mon, Oct 16, 2017 at 04:24:56PM -0700, Kees Cook wrote:
>> In preparation for unconditionally passing the struct timer_list pointer to
>> all timer callbacks, switch to using the new timer_s
this in the
future.
Cc: Hans Verkuil <hverk...@xs4all.nl>
Cc: Mauro Carvalho Chehab <mche...@kernel.org>
Cc: linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/common/saa7146/saa7146_fops.c | 2 +-
drivers/media/common/saa7146/saa7146_vbi.c | 9
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.
Cc: Mauro Carvalho Chehab <mche...@kernel.org>
Cc: linux-media@vger.kernel.org
Signed-off-by: Kee
i Ailus <sakari.ai...@linux.intel.com>
Cc: Geliang Tang <geliangt...@gmail.com>
Cc: linux-in...@vger.kernel.org
Cc: linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
Acked-by: Pali Rohár <pali.ro...@gmail.com>
---
drivers/input/input.c
l.com>
Cc: linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/dvb-core/dmxdev.c | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 18e4230865be..3
gt;
Cc: Sean Young <s...@mess.org>
Cc: Geliang Tang <geliangt...@gmail.com>
Cc: Hans Verkuil <hans.verk...@cisco.com>
Cc: linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/pci/saa7134/saa7134-core.c | 6 +++---
drivers/m
linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/common/saa7146/saa7146_fops.c | 4 ++--
drivers/media/common/saa7146/saa7146_vbi.c | 3 +--
drivers/media/common/saa7146/saa7146_video.c | 3 +--
include/media/drv-intf/saa7146_vv.h | 2 +-
linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/i2c/tc358743.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index a9355032076f..359f63d7dfca 100644
--- a
linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/rc/serial_ir.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/media/rc/serial_ir.c b/drivers/media/rc/serial_ir.c
index 8b66926bc16a..8bf5637b3a69 100644
--- a/drivers/media/rc
gt;
Cc: Alan Cox <a...@linux.intel.com>
Cc: Daeseok Youn <daeseok.y...@gmail.com>
Cc: Arnd Bergmann <a...@arndb.de>
Cc: linux-media@vger.kernel.org
Cc: de...@driverdev.osuosl.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/staging/media/atom
linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/i2c/tc358743.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index 5788af238b86..94e722e0f4e0 100644
--- a/drivers/me
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/staging/media/atomisp/i2c/lm3554
nput_dev = input_allocate_device();
> if (!input_dev)
> @@ -365,8 +344,13 @@ int av7110_ir_init(struct av7110 *av7110)
> input_free_device(input_dev);
> return err;
> }
> - input_dev->timer.function = input_repeat_key;
> - input_dev->timer.data = (unsigned long) >ir;
> +
> + /*
> +* Input core's default autorepeat is 33 cps with 250 msec
> +* delay, let's adjust to numbers more suitable for remote
> +* control.
> +*/
> + input_enable_softrepeat(input_dev, 250, 125);
>
> if (av_cnt == 1) {
> e = proc_create("av7110_ir", S_IWUSR, NULL,
> _ir_proc_fops);
> --
> 2.13.6
>
--
Kees Cook
Pixel Security
; On Thu, Nov 02, 2017 at 04:24:27PM -0700, Kees Cook wrote:
>> > > On Tue, Oct 31, 2017 at 1:11 PM, Sean Young <s...@mess.org> wrote:
>> > > > Leave the autorepeat handling up to the input layer, and move
>> > > > to the new timer API.
>>
Eek, sorry, this uses timer_setup_on_stack() which is only in -next.
If you can Ack this, I can carry it in the timer tree.
Thanks!
-Kees
On Tue, Oct 24, 2017 at 5:22 PM, Kees Cook <keesc...@chromium.org> wrote:
> In preparation for unconditionally passing the struct timer_list pointer
oung <s...@mess.org>
Cc: Sakari Ailus <sakari.ai...@linux.intel.com>
Cc: "Pali Rohár" <pali.ro...@gmail.com>
Cc: linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/pci/bt8xx/bttv-driver.c | 6 +++---
drivers/media/pci/
On Thu, Oct 19, 2017 at 3:48 PM, Dmitry Torokhov
<dmitry.torok...@gmail.com> wrote:
> On Thu, Oct 19, 2017 at 03:45:38PM -0700, Kees Cook wrote:
>> On Thu, Oct 19, 2017 at 3:32 PM, Dmitry Torokhov
>> <dmitry.torok...@gmail.com> wrote:
>> > On Mon, Oct 16, 2017
d.com>
Cc: Sakari Ailus <sakari.ai...@linux.intel.com>
Cc: Bhumika Goyal <bhumi...@gmail.com>
Cc: Mike Isely <is...@pobox.com>
Cc: Arvind Yadav <arvind.yadav...@gmail.com>
Cc: linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers
t;David S. Miller" <da...@davemloft.net>
Cc: Johannes Berg <johannes.b...@intel.com>
Cc: linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/radio/radio-cadet.c | 7 +++
drivers/media/radio/wl128x/fmdrv_common.c | 7 +++-
linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 64 ++---
1 file changed, 36 insertions(+), 28 deletions(-)
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
b/drivers/media/usb/pvrusb2/p
hyti <andi.sh...@samsung.com>
Cc: linux-media@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/media/rc/ene_ir.c | 7 +++
drivers/media/rc/igorplugusb.c| 6 +++---
drivers/media/rc/img-ir/img-ir-hw.c | 13 ++---
drivers/media
autorepeat
> delay and forcing autorepeat period to be whatever the hardware has.
>
> Signed-off-by: Dmitry Torokhov <dmitry.torok...@gmail.com>
Reviewed-by: Kees Cook <keesc...@chromium.org>
(with the Subject typo fixed)
Hans, since this depends on the input side not changin
>
Thanks for sending these!
Reviewed-by: Kees Cook <keesc...@chromium.org>
-Kees
> ---
> drivers/media/media-device.c | 21 +++--
> 1 file changed, 11 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/media/media-device.c b/drivers/media/media-devic
actual function.
>
> Signed-off-by: Sami Tolvanen <samitolva...@google.com>
I think this actually makes things much more readable in the end. Thanks!
Reviewed-by: Kees Cook <keesc...@chromium.org>
-Kees
> ---
> drivers/media/v4l2-core/v4l2-ioctl.c | 72 ++
On Thu, Oct 19, 2017 at 3:32 PM, Dmitry Torokhov
<dmitry.torok...@gmail.com> wrote:
> On Mon, Oct 16, 2017 at 04:14:43PM -0700, Kees Cook wrote:
>> In preparation for unconditionally passing the struct timer_list pointer to
>> all timer callbacks, switch to usin
ng
NUL-padding to clear a buffer of prior contents.
How did you validate that for these changes?
-Kees
--
Kees Cook
Pixel Security
e meaning between strlcpy() and strscpy()
differs).
Reviewed-by: Kees Cook
-Kees
--
Kees Cook
Pixel Security
r *ptr;
}
strscpy(instance->buffer, source, sizeof(instance->buffer));
is correct.
But:
strscpy(instance->ptr, source, sizeof(instance->ptr));
will not be and will truncate strings to sizeof(char *).
If you _did_ verify this, I'd love to know more about your tooling. :)
-Kees
-
On Mon, Sep 10, 2018 at 11:34 AM, Mauro Carvalho Chehab
wrote:
> Em Mon, 10 Sep 2018 09:18:05 -0700
> Kees Cook escreveu:
>
>> On Mon, Sep 10, 2018 at 5:19 AM, Mauro Carvalho Chehab
>> wrote:
>> > The strncpy() function is being deprecated upstream. Replac
[0]) +
> __must_be_array(arr))
>
> +/**
> + * for_each_array_element - Iterate all items in an array
> + * @elem: pointer of array type for iteration cursor
> + * @array: array to be iterated
> + */
> +#define for_each_array_element(elem, array) \
> + for (elem = &(array)[0]; \
> +elem < &(array)[ARRAY_SIZE(array)]; \
> +++elem)
> +
> #define u64_to_user_ptr(x) ( \
> { \
> typecheck(u64, x); \
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
53 matches
Mail list logo