diff options
| author | Guennadi Liakhovetski <g.liakhovetski@gmx.de> | 2014-05-30 19:26:38 -0400 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@osg.samsung.com> | 2014-11-03 12:11:59 -0500 |
| commit | 6ed9b28504326f8cf542e6b68245b2f7ce009216 (patch) | |
| tree | 1c00596b47f9204c95d1a70ff1866862cfe1345c | |
| parent | 66ae9fc237c1192414c12094443521d956199be8 (diff) | |
[media] V4L2: fix VIDIOC_CREATE_BUFS 32-bit compatibility mode data copy-back
Similar to an earlier patch, fixing reading user-space data for the
VIDIOC_CREATE_BUFS ioctl() in 32-bit compatibility mode, this patch fixes
writing back of the possibly modified struct to the user. However, unlike
the former bug, this one is much less harmful, because it only results in
the kernel failing to write the .type field back to the user, but in fact
this is likely unneeded, because the kernel will hardly want to change
that field. Therefore this bug is more of a theoretical nature.
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
| -rw-r--r-- | drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c index e502a5fb2994..af635430524e 100644 --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c | |||
| @@ -222,6 +222,9 @@ static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_ | |||
| 222 | 222 | ||
| 223 | static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) | 223 | static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) |
| 224 | { | 224 | { |
| 225 | if (put_user(kp->type, &up->type)) | ||
| 226 | return -EFAULT; | ||
| 227 | |||
| 225 | switch (kp->type) { | 228 | switch (kp->type) { |
| 226 | case V4L2_BUF_TYPE_VIDEO_CAPTURE: | 229 | case V4L2_BUF_TYPE_VIDEO_CAPTURE: |
| 227 | case V4L2_BUF_TYPE_VIDEO_OUTPUT: | 230 | case V4L2_BUF_TYPE_VIDEO_OUTPUT: |
| @@ -248,8 +251,7 @@ static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __us | |||
| 248 | 251 | ||
| 249 | static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) | 252 | static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) |
| 250 | { | 253 | { |
| 251 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32)) || | 254 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32))) |
| 252 | put_user(kp->type, &up->type)) | ||
| 253 | return -EFAULT; | 255 | return -EFAULT; |
| 254 | return __put_v4l2_format32(kp, up); | 256 | return __put_v4l2_format32(kp, up); |
| 255 | } | 257 | } |
| @@ -257,8 +259,8 @@ static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user | |||
| 257 | static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) | 259 | static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) |
| 258 | { | 260 | { |
| 259 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) || | 261 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) || |
| 260 | copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format.fmt))) | 262 | copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format))) |
| 261 | return -EFAULT; | 263 | return -EFAULT; |
| 262 | return __put_v4l2_format32(&kp->format, &up->format); | 264 | return __put_v4l2_format32(&kp->format, &up->format); |
| 263 | } | 265 | } |
| 264 | 266 | ||