| From da05d52d2f0f6bd61094a0cd045fed94bf7d673a Mon Sep 17 00:00:00 2001 |
| From: Prabhakar Lad <prabhakar.csengg@gmail.com> |
| Date: Thu, 20 Jul 2017 08:02:09 -0400 |
| Subject: media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl |
| |
| From: Prabhakar Lad <prabhakar.csengg@gmail.com> |
| |
| commit da05d52d2f0f6bd61094a0cd045fed94bf7d673a upstream. |
| |
| this patch makes sure VPFE_CMD_S_CCDC_RAW_PARAMS ioctl no longer works |
| for vpfe_capture driver with a minimal patch suitable for backporting. |
| |
| - This ioctl was never in public api and was only defined in kernel header. |
| - The function set_params constantly mixes up pointers and phys_addr_t |
| numbers. |
| - This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is |
| described as an 'experimental ioctl that will change in future kernels'. |
| - The code to allocate the table never gets called after we copy_from_user |
| the user input over the kernel settings, and then compare them |
| for inequality. |
| - We then go on to use an address provided by user space as both the |
| __user pointer for input and pass it through phys_to_virt to come up |
| with a kernel pointer to copy the data to. This looks like a trivially |
| exploitable root hole. |
| |
| Due to these reasons we make sure this ioctl now returns -EINVAL and backport |
| this patch as far as possible. |
| |
| Fixes: 5f15fbb68fd7 ("V4L/DVB (12251): v4l: dm644x ccdc module for vpfe capture driver") |
| |
| Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com> |
| Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> |
| Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/media/platform/davinci/vpfe_capture.c | 22 ++-------------------- |
| 1 file changed, 2 insertions(+), 20 deletions(-) |
| |
| --- a/drivers/media/platform/davinci/vpfe_capture.c |
| +++ b/drivers/media/platform/davinci/vpfe_capture.c |
| @@ -1709,27 +1709,9 @@ static long vpfe_param_handler(struct fi |
| |
| switch (cmd) { |
| case VPFE_CMD_S_CCDC_RAW_PARAMS: |
| + ret = -EINVAL; |
| v4l2_warn(&vpfe_dev->v4l2_dev, |
| - "VPFE_CMD_S_CCDC_RAW_PARAMS: experimental ioctl\n"); |
| - if (ccdc_dev->hw_ops.set_params) { |
| - ret = ccdc_dev->hw_ops.set_params(param); |
| - if (ret) { |
| - v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, |
| - "Error setting parameters in CCDC\n"); |
| - goto unlock_out; |
| - } |
| - ret = vpfe_get_ccdc_image_format(vpfe_dev, |
| - &vpfe_dev->fmt); |
| - if (ret < 0) { |
| - v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, |
| - "Invalid image format at CCDC\n"); |
| - goto unlock_out; |
| - } |
| - } else { |
| - ret = -EINVAL; |
| - v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, |
| - "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); |
| - } |
| + "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); |
| break; |
| default: |
| ret = -ENOTTY; |