media: v4l2-core: fix uninitialized structure fields being returned to userspace

In the case where v4l2_event_dequeue fails the structure ev is not
being filled and this garbage data from the stack is being copied
to the ev32 structure and being copied back to userspace on the
VIDIOC_DQEVENT_TIME32 ioctl.  Fix this by ensuring the ev structure
is zero'd to ensure uninitialized data is not leaked back.

Addresses-Coverity: ("Uninitialized scalar variable")

Fixes: 1a6c0b36dd19 ("media: v4l2-core: fix VIDIOC_DQEVENT for time64 ABI")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c
index de926e3113486f2eed89b605718596ca99f7b74b..a376b351135f1a0a249ee628ffb8bb69e97e51cc 100644 (file)
--- a/drivers/media/v4l2-core/v4l2-subdev.c
+++ b/drivers/media/v4l2-core/v4l2-subdev.c
@@ -394,7 +394,7 @@ static long subdev_do_ioctl(struct file *file, unsigned int cmd, void *arg)
 
        case VIDIOC_DQEVENT_TIME32: {
                struct v4l2_event_time32 *ev32 = arg;
-               struct v4l2_event ev;
+               struct v4l2_event ev = { };
 
                if (!(sd->flags & V4L2_SUBDEV_FL_HAS_EVENTS))
                        return -ENOIOCTLCMD;