aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2006-02-01 05:24:20 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2006-02-08 01:03:39 -0500
commit5b1a43d7df65689b4c3b5a1c5c8158f1d4f74fbd (patch)
tree651e2320ff4633507243cf2e353d9ba6b8017cc1 /drivers
parentde125bf395df34892862d76580ce3a153e80f151 (diff)
[PATCH] drivers/media/video __user annotations and fixes
* compat_alloc_user_space() returns __user pointer * copying between two userland areas is copy_in_user(), not copy_from_user() * dereferencing userland pointers is bad * so's get_user() from local variables ... plus usual __user annotations Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/media/video/compat_ioctl32.c89
1 files changed, 41 insertions, 48 deletions
diff --git a/drivers/media/video/compat_ioctl32.c b/drivers/media/video/compat_ioctl32.c
index 297c32ab51e3..840fe0177121 100644
--- a/drivers/media/video/compat_ioctl32.c
+++ b/drivers/media/video/compat_ioctl32.c
@@ -167,29 +167,32 @@ static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user
167 if (kp->clipcount > 2048) 167 if (kp->clipcount > 2048)
168 return -EINVAL; 168 return -EINVAL;
169 if (kp->clipcount) { 169 if (kp->clipcount) {
170 struct v4l2_clip32 *uclips = compat_ptr(up->clips); 170 struct v4l2_clip32 __user *uclips;
171 struct v4l2_clip *kclips; 171 struct v4l2_clip __user *kclips;
172 int n = kp->clipcount; 172 int n = kp->clipcount;
173 compat_caddr_t p;
173 174
175 if (get_user(p, &up->clips))
176 return -EFAULT;
177 uclips = compat_ptr(p);
174 kclips = compat_alloc_user_space(n * sizeof(struct v4l2_clip)); 178 kclips = compat_alloc_user_space(n * sizeof(struct v4l2_clip));
175 kp->clips = kclips; 179 kp->clips = kclips;
176 while (--n >= 0) { 180 while (--n >= 0) {
177 if (!access_ok(VERIFY_READ, &uclips->c, sizeof(uclips->c)) || 181 if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
178 copy_from_user(&kclips->c, &uclips->c, sizeof(uclips->c))) 182 return -EFAULT;
183 if (put_user(n ? kclips + 1 : NULL, &kclips->next))
179 return -EFAULT; 184 return -EFAULT;
180 kclips->next = n ? kclips + 1 : 0;
181 uclips += 1; 185 uclips += 1;
182 kclips += 1; 186 kclips += 1;
183 } 187 }
184 } else 188 } else
185 kp->clips = 0; 189 kp->clips = NULL;
186 return 0; 190 return 0;
187} 191}
188 192
189static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up) 193static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
190{ 194{
191 if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_window32)) || 195 if (copy_to_user(&up->w, &kp->w, sizeof(up->w)) ||
192 copy_to_user(&up->w, &kp->w, sizeof(up->w)) ||
193 put_user(kp->field, &up->field) || 196 put_user(kp->field, &up->field) ||
194 put_user(kp->chromakey, &up->chromakey) || 197 put_user(kp->chromakey, &up->chromakey) ||
195 put_user(kp->clipcount, &up->clipcount)) 198 put_user(kp->clipcount, &up->clipcount))
@@ -199,33 +202,29 @@ static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user
199 202
200static inline int get_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up) 203static inline int get_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up)
201{ 204{
202 if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_pix_format)) || 205 if (copy_from_user(kp, up, sizeof(struct v4l2_pix_format)))
203 copy_from_user(kp, up, sizeof(struct v4l2_pix_format))) 206 return -EFAULT;
204 return -EFAULT;
205 return 0; 207 return 0;
206} 208}
207 209
208static inline int put_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up) 210static inline int put_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up)
209{ 211{
210 if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_pix_format)) || 212 if (copy_to_user(up, kp, sizeof(struct v4l2_pix_format)))
211 copy_to_user(up, kp, sizeof(struct v4l2_pix_format))) 213 return -EFAULT;
212 return -EFAULT;
213 return 0; 214 return 0;
214} 215}
215 216
216static inline int get_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up) 217static inline int get_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up)
217{ 218{
218 if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_vbi_format)) || 219 if (copy_from_user(kp, up, sizeof(struct v4l2_vbi_format)))
219 copy_from_user(kp, up, sizeof(struct v4l2_vbi_format))) 220 return -EFAULT;
220 return -EFAULT;
221 return 0; 221 return 0;
222} 222}
223 223
224static inline int put_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up) 224static inline int put_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up)
225{ 225{
226 if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_vbi_format)) || 226 if (copy_to_user(up, kp, sizeof(struct v4l2_vbi_format)))
227 copy_to_user(up, kp, sizeof(struct v4l2_vbi_format))) 227 return -EFAULT;
228 return -EFAULT;
229 return 0; 228 return 0;
230} 229}
231 230
@@ -279,18 +278,16 @@ static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user
279 278
280static inline int get_v4l2_standard(struct v4l2_standard *kp, struct v4l2_standard __user *up) 279static inline int get_v4l2_standard(struct v4l2_standard *kp, struct v4l2_standard __user *up)
281{ 280{
282 if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_standard)) || 281 if (copy_from_user(kp, up, sizeof(struct v4l2_standard)))
283 copy_from_user(kp, up, sizeof(struct v4l2_standard))) 282 return -EFAULT;
284 return -EFAULT;
285 return 0; 283 return 0;
286 284
287} 285}
288 286
289static inline int put_v4l2_standard(struct v4l2_standard *kp, struct v4l2_standard __user *up) 287static inline int put_v4l2_standard(struct v4l2_standard *kp, struct v4l2_standard __user *up)
290{ 288{
291 if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard)) || 289 if (copy_to_user(up, kp, sizeof(struct v4l2_standard)))
292 copy_to_user(up, kp, sizeof(struct v4l2_standard))) 290 return -EFAULT;
293 return -EFAULT;
294 return 0; 291 return 0;
295} 292}
296 293
@@ -328,18 +325,16 @@ static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32
328 325
329static inline int get_v4l2_tuner(struct v4l2_tuner *kp, struct v4l2_tuner __user *up) 326static inline int get_v4l2_tuner(struct v4l2_tuner *kp, struct v4l2_tuner __user *up)
330{ 327{
331 if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_tuner)) || 328 if (copy_from_user(kp, up, sizeof(struct v4l2_tuner)))
332 copy_from_user(kp, up, sizeof(struct v4l2_tuner))) 329 return -EFAULT;
333 return -EFAULT;
334 return 0; 330 return 0;
335 331
336} 332}
337 333
338static inline int put_v4l2_tuner(struct v4l2_tuner *kp, struct v4l2_tuner __user *up) 334static inline int put_v4l2_tuner(struct v4l2_tuner *kp, struct v4l2_tuner __user *up)
339{ 335{
340 if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_tuner)) || 336 if (copy_to_user(up, kp, sizeof(struct v4l2_tuner)))
341 copy_to_user(up, kp, sizeof(struct v4l2_tuner))) 337 return -EFAULT;
342 return -EFAULT;
343 return 0; 338 return 0;
344} 339}
345 340
@@ -380,11 +375,13 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
380 break; 375 break;
381 case V4L2_MEMORY_USERPTR: 376 case V4L2_MEMORY_USERPTR:
382 { 377 {
383 unsigned long tmp = (unsigned long)compat_ptr(up->m.userptr); 378 compat_long_t tmp;
384 379
385 if(get_user(kp->length, &up->length) || 380 if (get_user(kp->length, &up->length) ||
386 get_user(kp->m.userptr, &tmp)) 381 get_user(tmp, &up->m.userptr))
387 return -EFAULT; 382 return -EFAULT;
383
384 kp->m.userptr = (unsigned long)compat_ptr(tmp);
388 } 385 }
389 break; 386 break;
390 case V4L2_MEMORY_OVERLAY: 387 case V4L2_MEMORY_OVERLAY:
@@ -468,33 +465,29 @@ static int put_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame
468 465
469static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input __user *up) 466static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input __user *up)
470{ 467{
471 if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_input) - 4) || 468 if (copy_from_user(kp, up, sizeof(struct v4l2_input) - 4))
472 copy_from_user(kp, up, sizeof(struct v4l2_input) - 4)) 469 return -EFAULT;
473 return -EFAULT;
474 return 0; 470 return 0;
475} 471}
476 472
477static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input __user *up) 473static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input __user *up)
478{ 474{
479 if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_input) - 4) || 475 if (copy_to_user(up, kp, sizeof(struct v4l2_input) - 4))
480 copy_to_user(up, kp, sizeof(struct v4l2_input) - 4)) 476 return -EFAULT;
481 return -EFAULT;
482 return 0; 477 return 0;
483} 478}
484 479
485static inline int get_v4l2_input(struct v4l2_input *kp, struct v4l2_input __user *up) 480static inline int get_v4l2_input(struct v4l2_input *kp, struct v4l2_input __user *up)
486{ 481{
487 if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_input)) || 482 if (copy_from_user(kp, up, sizeof(struct v4l2_input)))
488 copy_from_user(kp, up, sizeof(struct v4l2_input))) 483 return -EFAULT;
489 return -EFAULT;
490 return 0; 484 return 0;
491} 485}
492 486
493static inline int put_v4l2_input(struct v4l2_input *kp, struct v4l2_input __user *up) 487static inline int put_v4l2_input(struct v4l2_input *kp, struct v4l2_input __user *up)
494{ 488{
495 if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_input)) || 489 if (copy_to_user(up, kp, sizeof(struct v4l2_input)))
496 copy_to_user(up, kp, sizeof(struct v4l2_input))) 490 return -EFAULT;
497 return -EFAULT;
498 return 0; 491 return 0;
499} 492}
500 493