On Fri, Mar 17, 2017 at 02:56:43PM -0700, Michael Zoran wrote:
> Fix port_paremeter_get function blindly subtracts 8 from a reply
> size without checking that the size is at lest 8 bytes. This can
> casue a large buffer to be copied since the size is unsigned.
>
> Add a WARN_ON, and also add min and max conditions to the size
> of the data that is copied.
>
> Signed-off-by: Michael Zoran <mzoran@xxxxxxxxxxxx>
> ---
> .../vc04_services/bcm2835-camera/mmal-vchiq.c | 27 +++++++++++-----------
> 1 file changed, 14 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> index 4f4499dfe0c3..a8768358c557 100644
> --- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> +++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> @@ -1450,23 +1450,24 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance,
> * port_parameter_get_reply.size includes the header,
> * whilst *value_size doesn't.
> */
> - reply_size = rmsg->u.port_parameter_get_reply.size - (2 * sizeof(u32));
>
> - if (ret || (reply_size > *value_size)) {
> - /* Copy only as much as we have space for
> - * but report true size of parameter
> - */
> - memcpy(value, &rmsg->u.port_parameter_get_reply.value,
> - *value_size);
> - } else
> - memcpy(value, &rmsg->u.port_parameter_get_reply.value,
> - reply_size);
> + if (WARN_ON(rmsg->u.port_parameter_get_reply.size < 8))
> + reply_size = 0;
Can userspace trigger this warning? If so, don't make it a warning,
just check for it and handle it properly.
thanks,
greg k-h
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
