tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork

Configure Feed

Select the types of activity you want to include in your feed.

media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl

this patch makes sure VPFE_CMD_S_CCDC_RAW_PARAMS ioctl no longer works
for vpfe_capture driver with a minimal patch suitable for backporting.

- This ioctl was never in public api and was only defined in kernel header.
- The function set_params constantly mixes up pointers and phys_addr_t
numbers.
- This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is
described as an 'experimental ioctl that will change in future kernels'.
- The code to allocate the table never gets called after we copy_from_user
the user input over the kernel settings, and then compare them
for inequality.
- We then go on to use an address provided by user space as both the
__user pointer for input and pass it through phys_to_virt to come up
with a kernel pointer to copy the data to. This looks like a trivially
exploitable root hole.

Due to these reasons we make sure this ioctl now returns -EINVAL and backport
this patch as far as possible.

Fixes: 5f15fbb68fd7 ("V4L/DVB (12251): v4l: dm644x ccdc module for vpfe capture driver")

Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Cc: <stable@vger.kernel.org> # for v3.7 and up
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

authored by

Prabhakar Lad and committed by
Mauro Carvalho Chehab da05d52d 377a22d3

+2 -20
+2 -20
drivers/media/platform/davinci/vpfe_capture.c
··· 1719 1719 1720 1720 switch (cmd) { 1721 1721 case VPFE_CMD_S_CCDC_RAW_PARAMS: 1722 + ret = -EINVAL; 1722 1723 v4l2_warn(&vpfe_dev->v4l2_dev, 1723 - "VPFE_CMD_S_CCDC_RAW_PARAMS: experimental ioctl\n"); 1724 - if (ccdc_dev->hw_ops.set_params) { 1725 - ret = ccdc_dev->hw_ops.set_params(param); 1726 - if (ret) { 1727 - v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, 1728 - "Error setting parameters in CCDC\n"); 1729 - goto unlock_out; 1730 - } 1731 - ret = vpfe_get_ccdc_image_format(vpfe_dev, 1732 - &vpfe_dev->fmt); 1733 - if (ret < 0) { 1734 - v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, 1735 - "Invalid image format at CCDC\n"); 1736 - goto unlock_out; 1737 - } 1738 - } else { 1739 - ret = -EINVAL; 1740 - v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, 1741 - "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); 1742 - } 1724 + "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); 1743 1725 break; 1744 1726 default: 1745 1727 ret = -ENOTTY;