Re: [PATCH 08/10] staging: bcm2835-camera: Fix buffer overflow calculation on query of camera properties

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10 March 2017 at 05:08, Michael Zoran <mzoran@xxxxxxxxxxxx> wrote:
> The code that queries properties on the camera has a check
> for buffer overruns if the firmware sends too much data.  This
> check is incorrect, and during testing I was seeing stack corruption.
>
> I believe this error can actually happen in normal use, just for
> some reason it doesn't appear on 32 bit as often.  So perhaps
> it's best for the check to be fixed.

That sounds like it is related to a report I couldn't nail down as it
only happened on ArchLinux -
https://github.com/raspberrypi/linux/issues/1447

Comparing against the original MMAL implementation at
https://github.com/raspberrypi/userland/blob/master/interface/mmal/vc/mmal_vc_api.c#L1187
there are a few subtle differences. Your patch is a belt and braces to
ensure that it never copies too much, so reasonable in that regard.

I'm actually more worried that it implies we have a structure mismatch
against the firmware, but I currently can't see where it is. A load of
debug prints for sizeof(struct) required....

> Signed-off-by: Michael Zoran <mzoran@xxxxxxxxxxxx>
> ---
>  drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> index 41de8956e421..976aa08365f2 100644
> --- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> +++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> @@ -1442,7 +1442,7 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance,
>         }
>
>         ret = -rmsg->u.port_parameter_get_reply.status;
> -       if (ret) {
> +       if (ret || (rmsg->u.port_parameter_get_reply.size > *value_size)) {
>                 /* Copy only as much as we have space for
>                  * but report true size of parameter
>                  */
> --
> 2.11.0
>
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel



[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux