tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

media: uvcvideo: Silence memcpy() run-time false positive warnings

The memcpy() in uvc_video_decode_meta() intentionally copies across the
length and flags members and into the trailing buf flexible array.
Split the copy so that the compiler can better reason about (the lack
of) buffer overflows here. Avoid the run-time false positive warning:

memcpy: detected field-spanning write (size 12) of single field "&meta->length" at drivers/media/usb/uvc/uvc_video.c:1355 (size 1)

Additionally fix a typo in the documentation for struct uvc_meta_buf.

Reported-by: ionut_n2001@yahoo.com
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216810
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

authored by

Kees Cook and committed by
Laurent Pinchart b8392129 136effa7

+4 -2
+3 -1
drivers/media/usb/uvc/uvc_video.c
··· 1356 1356 if (has_scr) 1357 1357 memcpy(stream->clock.last_scr, scr, 6); 1358 1358 1359 - memcpy(&meta->length, mem, length); 1359 + meta->length = mem[0]; 1360 + meta->flags = mem[1]; 1361 + memcpy(meta->buf, &mem[2], length - 2); 1360 1362 meta_buf->bytesused += length + sizeof(meta->ns) + sizeof(meta->sof); 1361 1363 1362 1364 uvc_dbg(stream->dev, FRAME,
+1 -1
include/uapi/linux/uvcvideo.h
··· 88 88 * struct. The first two fields are added by the driver, they can be used for 89 89 * clock synchronisation. The rest is an exact copy of a UVC payload header. 90 90 * Only complete objects with complete buffers are included. Therefore it's 91 - * always sizeof(meta->ts) + sizeof(meta->sof) + meta->length bytes large. 91 + * always sizeof(meta->ns) + sizeof(meta->sof) + meta->length bytes large. 92 92 */ 93 93 struct uvc_meta_buf { 94 94 __u64 ns;