commit 97d9d23dda6f37d90aefeec4ed619d52df525382 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[media] V4L2: fix VIDIOC_CREATE_BUFS in 64- / 32-bit compatibility mode

If a struct contains 64-bit fields, it is aligned on 64-bit boundaries
within containing structs in 64-bit compilations. This is the case with
struct v4l2_window, which contains pointers and is embedded into struct
v4l2_format, and that one is embedded into struct v4l2_create_buffers.
Unlike some other structs, used as a part of the kernel ABI as ioctl()
arguments, that are packed, these structs aren't packed. This isn't a
problem per se, but the ioctl-compat code for VIDIOC_CREATE_BUFS contains
a bug, that triggers in such 64-bit builds. That code wrongly assumes,
that in struct v4l2_create_buffers, struct v4l2_format immediately follows
the __u32 memory field, which in fact isn't the case. This bug wasn't
visible until now, because until recently hardly any applications used
this ioctl() and mostly embedded 32-bit only drivers implemented it. This
is changing now with addition of this ioctl() to some USB drivers, e.g.
UVC. This patch fixes the bug by copying parts of struct
v4l2_create_buffers separately.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Cc: stable@vger.kernel.org

authored by Guennadi Liakhovetski and committed by Mauro Carvalho Chehab 11 years ago 97d9d23d cfece585

+7 -5

1 changed file

expand all

unified split

drivers

media

v4l2-core

v4l2-compat-ioctl32.c

+7 -5

drivers/media/v4l2-core/v4l2-compat-ioctl32.c

··· 178 179 static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) 180 { 181 switch (kp->type) { 182 case V4L2_BUF_TYPE_VIDEO_CAPTURE: 183 case V4L2_BUF_TYPE_VIDEO_OUTPUT: ··· 207 208 static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) 209 { 210 - if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32)) || 211 - get_user(kp->type, &up->type)) 212 - return -EFAULT; 213 return __get_v4l2_format32(kp, up); 214 } 215 216 static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) 217 { 218 if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_create_buffers32)) || 219 - copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format.fmt))) 220 - return -EFAULT; 221 return __get_v4l2_format32(&kp->format, &up->format); 222 } 223

··· 178 179 static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) 180 { 181 + if (get_user(kp->type, &up->type)) 182 + return -EFAULT; 183 + 184 switch (kp->type) { 185 case V4L2_BUF_TYPE_VIDEO_CAPTURE: 186 case V4L2_BUF_TYPE_VIDEO_OUTPUT: ··· 204 205 static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) 206 { 207 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32))) 208 + return -EFAULT; 209 return __get_v4l2_format32(kp, up); 210 } 211 212 static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) 213 { 214 if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_create_buffers32)) || 215 + copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format))) 216 + return -EFAULT; 217 return __get_v4l2_format32(&kp->format, &up->format); 218 } 219