diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2006-02-01 05:24:20 -0500 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-02-08 01:03:39 -0500 |
commit | 5b1a43d7df65689b4c3b5a1c5c8158f1d4f74fbd (patch) | |
tree | 651e2320ff4633507243cf2e353d9ba6b8017cc1 | |
parent | de125bf395df34892862d76580ce3a153e80f151 (diff) |
[PATCH] drivers/media/video __user annotations and fixes
* compat_alloc_user_space() returns __user pointer
* copying between two userland areas is copy_in_user(), not copy_from_user()
* dereferencing userland pointers is bad
* so's get_user() from local variables
... plus usual __user annotations
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | drivers/media/video/compat_ioctl32.c | 89 | ||||
-rw-r--r-- | include/linux/videodev2.h | 2 |
2 files changed, 42 insertions, 49 deletions
diff --git a/drivers/media/video/compat_ioctl32.c b/drivers/media/video/compat_ioctl32.c index 297c32ab51e3..840fe0177121 100644 --- a/drivers/media/video/compat_ioctl32.c +++ b/drivers/media/video/compat_ioctl32.c | |||
@@ -167,29 +167,32 @@ static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user | |||
167 | if (kp->clipcount > 2048) | 167 | if (kp->clipcount > 2048) |
168 | return -EINVAL; | 168 | return -EINVAL; |
169 | if (kp->clipcount) { | 169 | if (kp->clipcount) { |
170 | struct v4l2_clip32 *uclips = compat_ptr(up->clips); | 170 | struct v4l2_clip32 __user *uclips; |
171 | struct v4l2_clip *kclips; | 171 | struct v4l2_clip __user *kclips; |
172 | int n = kp->clipcount; | 172 | int n = kp->clipcount; |
173 | compat_caddr_t p; | ||
173 | 174 | ||
175 | if (get_user(p, &up->clips)) | ||
176 | return -EFAULT; | ||
177 | uclips = compat_ptr(p); | ||
174 | kclips = compat_alloc_user_space(n * sizeof(struct v4l2_clip)); | 178 | kclips = compat_alloc_user_space(n * sizeof(struct v4l2_clip)); |
175 | kp->clips = kclips; | 179 | kp->clips = kclips; |
176 | while (--n >= 0) { | 180 | while (--n >= 0) { |
177 | if (!access_ok(VERIFY_READ, &uclips->c, sizeof(uclips->c)) || | 181 | if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c))) |
178 | copy_from_user(&kclips->c, &uclips->c, sizeof(uclips->c))) | 182 | return -EFAULT; |
183 | if (put_user(n ? kclips + 1 : NULL, &kclips->next)) | ||
179 | return -EFAULT; | 184 | return -EFAULT; |
180 | kclips->next = n ? kclips + 1 : 0; | ||
181 | uclips += 1; | 185 | uclips += 1; |
182 | kclips += 1; | 186 | kclips += 1; |
183 | } | 187 | } |
184 | } else | 188 | } else |
185 | kp->clips = 0; | 189 | kp->clips = NULL; |
186 | return 0; | 190 | return 0; |
187 | } | 191 | } |
188 | 192 | ||
189 | static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up) | 193 | static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up) |
190 | { | 194 | { |
191 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_window32)) || | 195 | if (copy_to_user(&up->w, &kp->w, sizeof(up->w)) || |
192 | copy_to_user(&up->w, &kp->w, sizeof(up->w)) || | ||
193 | put_user(kp->field, &up->field) || | 196 | put_user(kp->field, &up->field) || |
194 | put_user(kp->chromakey, &up->chromakey) || | 197 | put_user(kp->chromakey, &up->chromakey) || |
195 | put_user(kp->clipcount, &up->clipcount)) | 198 | put_user(kp->clipcount, &up->clipcount)) |
@@ -199,33 +202,29 @@ static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user | |||
199 | 202 | ||
200 | static inline int get_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up) | 203 | static inline int get_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up) |
201 | { | 204 | { |
202 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_pix_format)) || | 205 | if (copy_from_user(kp, up, sizeof(struct v4l2_pix_format))) |
203 | copy_from_user(kp, up, sizeof(struct v4l2_pix_format))) | 206 | return -EFAULT; |
204 | return -EFAULT; | ||
205 | return 0; | 207 | return 0; |
206 | } | 208 | } |
207 | 209 | ||
208 | static inline int put_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up) | 210 | static inline int put_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up) |
209 | { | 211 | { |
210 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_pix_format)) || | 212 | if (copy_to_user(up, kp, sizeof(struct v4l2_pix_format))) |
211 | copy_to_user(up, kp, sizeof(struct v4l2_pix_format))) | 213 | return -EFAULT; |
212 | return -EFAULT; | ||
213 | return 0; | 214 | return 0; |
214 | } | 215 | } |
215 | 216 | ||
216 | static inline int get_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up) | 217 | static inline int get_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up) |
217 | { | 218 | { |
218 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_vbi_format)) || | 219 | if (copy_from_user(kp, up, sizeof(struct v4l2_vbi_format))) |
219 | copy_from_user(kp, up, sizeof(struct v4l2_vbi_format))) | 220 | return -EFAULT; |
220 | return -EFAULT; | ||
221 | return 0; | 221 | return 0; |
222 | } | 222 | } |
223 | 223 | ||
224 | static inline int put_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up) | 224 | static inline int put_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up) |
225 | { | 225 | { |
226 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_vbi_format)) || | 226 | if (copy_to_user(up, kp, sizeof(struct v4l2_vbi_format))) |
227 | copy_to_user(up, kp, sizeof(struct v4l2_vbi_format))) | 227 | return -EFAULT; |
228 | return -EFAULT; | ||
229 | return 0; | 228 | return 0; |
230 | } | 229 | } |
231 | 230 | ||
@@ -279,18 +278,16 @@ static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user | |||
279 | 278 | ||
280 | static inline int get_v4l2_standard(struct v4l2_standard *kp, struct v4l2_standard __user *up) | 279 | static inline int get_v4l2_standard(struct v4l2_standard *kp, struct v4l2_standard __user *up) |
281 | { | 280 | { |
282 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_standard)) || | 281 | if (copy_from_user(kp, up, sizeof(struct v4l2_standard))) |
283 | copy_from_user(kp, up, sizeof(struct v4l2_standard))) | 282 | return -EFAULT; |
284 | return -EFAULT; | ||
285 | return 0; | 283 | return 0; |
286 | 284 | ||
287 | } | 285 | } |
288 | 286 | ||
289 | static inline int put_v4l2_standard(struct v4l2_standard *kp, struct v4l2_standard __user *up) | 287 | static inline int put_v4l2_standard(struct v4l2_standard *kp, struct v4l2_standard __user *up) |
290 | { | 288 | { |
291 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard)) || | 289 | if (copy_to_user(up, kp, sizeof(struct v4l2_standard))) |
292 | copy_to_user(up, kp, sizeof(struct v4l2_standard))) | 290 | return -EFAULT; |
293 | return -EFAULT; | ||
294 | return 0; | 291 | return 0; |
295 | } | 292 | } |
296 | 293 | ||
@@ -328,18 +325,16 @@ static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 | |||
328 | 325 | ||
329 | static inline int get_v4l2_tuner(struct v4l2_tuner *kp, struct v4l2_tuner __user *up) | 326 | static inline int get_v4l2_tuner(struct v4l2_tuner *kp, struct v4l2_tuner __user *up) |
330 | { | 327 | { |
331 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_tuner)) || | 328 | if (copy_from_user(kp, up, sizeof(struct v4l2_tuner))) |
332 | copy_from_user(kp, up, sizeof(struct v4l2_tuner))) | 329 | return -EFAULT; |
333 | return -EFAULT; | ||
334 | return 0; | 330 | return 0; |
335 | 331 | ||
336 | } | 332 | } |
337 | 333 | ||
338 | static inline int put_v4l2_tuner(struct v4l2_tuner *kp, struct v4l2_tuner __user *up) | 334 | static inline int put_v4l2_tuner(struct v4l2_tuner *kp, struct v4l2_tuner __user *up) |
339 | { | 335 | { |
340 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_tuner)) || | 336 | if (copy_to_user(up, kp, sizeof(struct v4l2_tuner))) |
341 | copy_to_user(up, kp, sizeof(struct v4l2_tuner))) | 337 | return -EFAULT; |
342 | return -EFAULT; | ||
343 | return 0; | 338 | return 0; |
344 | } | 339 | } |
345 | 340 | ||
@@ -380,11 +375,13 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user | |||
380 | break; | 375 | break; |
381 | case V4L2_MEMORY_USERPTR: | 376 | case V4L2_MEMORY_USERPTR: |
382 | { | 377 | { |
383 | unsigned long tmp = (unsigned long)compat_ptr(up->m.userptr); | 378 | compat_long_t tmp; |
384 | 379 | ||
385 | if(get_user(kp->length, &up->length) || | 380 | if (get_user(kp->length, &up->length) || |
386 | get_user(kp->m.userptr, &tmp)) | 381 | get_user(tmp, &up->m.userptr)) |
387 | return -EFAULT; | 382 | return -EFAULT; |
383 | |||
384 | kp->m.userptr = (unsigned long)compat_ptr(tmp); | ||
388 | } | 385 | } |
389 | break; | 386 | break; |
390 | case V4L2_MEMORY_OVERLAY: | 387 | case V4L2_MEMORY_OVERLAY: |
@@ -468,33 +465,29 @@ static int put_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame | |||
468 | 465 | ||
469 | static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input __user *up) | 466 | static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input __user *up) |
470 | { | 467 | { |
471 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_input) - 4) || | 468 | if (copy_from_user(kp, up, sizeof(struct v4l2_input) - 4)) |
472 | copy_from_user(kp, up, sizeof(struct v4l2_input) - 4)) | 469 | return -EFAULT; |
473 | return -EFAULT; | ||
474 | return 0; | 470 | return 0; |
475 | } | 471 | } |
476 | 472 | ||
477 | static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input __user *up) | 473 | static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input __user *up) |
478 | { | 474 | { |
479 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_input) - 4) || | 475 | if (copy_to_user(up, kp, sizeof(struct v4l2_input) - 4)) |
480 | copy_to_user(up, kp, sizeof(struct v4l2_input) - 4)) | 476 | return -EFAULT; |
481 | return -EFAULT; | ||
482 | return 0; | 477 | return 0; |
483 | } | 478 | } |
484 | 479 | ||
485 | static inline int get_v4l2_input(struct v4l2_input *kp, struct v4l2_input __user *up) | 480 | static inline int get_v4l2_input(struct v4l2_input *kp, struct v4l2_input __user *up) |
486 | { | 481 | { |
487 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_input)) || | 482 | if (copy_from_user(kp, up, sizeof(struct v4l2_input))) |
488 | copy_from_user(kp, up, sizeof(struct v4l2_input))) | 483 | return -EFAULT; |
489 | return -EFAULT; | ||
490 | return 0; | 484 | return 0; |
491 | } | 485 | } |
492 | 486 | ||
493 | static inline int put_v4l2_input(struct v4l2_input *kp, struct v4l2_input __user *up) | 487 | static inline int put_v4l2_input(struct v4l2_input *kp, struct v4l2_input __user *up) |
494 | { | 488 | { |
495 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_input)) || | 489 | if (copy_to_user(up, kp, sizeof(struct v4l2_input))) |
496 | copy_to_user(up, kp, sizeof(struct v4l2_input))) | 490 | return -EFAULT; |
497 | return -EFAULT; | ||
498 | return 0; | 491 | return 0; |
499 | } | 492 | } |
500 | 493 | ||
diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h index b23be44cbea8..5208b12d5550 100644 --- a/include/linux/videodev2.h +++ b/include/linux/videodev2.h | |||
@@ -549,7 +549,7 @@ struct v4l2_framebuffer | |||
549 | struct v4l2_clip | 549 | struct v4l2_clip |
550 | { | 550 | { |
551 | struct v4l2_rect c; | 551 | struct v4l2_rect c; |
552 | struct v4l2_clip *next; | 552 | struct v4l2_clip __user *next; |
553 | }; | 553 | }; |
554 | 554 | ||
555 | struct v4l2_window | 555 | struct v4l2_window |