On Mon, 25 May 2009, Laurent Pinchart wrote:
> diff -r e0d881b21bc9 linux/drivers/media/video/v4l2-ioctl.c
> --- a/linux/drivers/media/video/v4l2-ioctl.c Tue May 19 15:12:17 2009 +0200
> +++ b/linux/drivers/media/video/v4l2-ioctl.c Sun May 24 18:26:29 2009 +0200
> @@ -402,6 +402,10 @@
> a specific control that caused it. */
> p->error_idx = p->count;
> user_ptr = (void __user *)p->controls;
> + if (p->count > KMALLOC_MAX_SIZE / sizeof(p->controls[0])) {
> + err = -ENOMEM;
> + goto out_ext_ctrl;
> + }
> if (p->count) {
> ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
> /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
> @@ -1859,6 +1863,10 @@
> a specific control that caused it. */
> p->error_idx = p->count;
> user_ptr = (void __user *)p->controls;
> + if (p->count > KMALLOC_MAX_SIZE / sizeof(p->controls[0])) {
> + err = -ENOMEM;
> + goto out_ext_ctrl;
> + }
> if (p->count) {
> ctrls_size = sizeof(struct v4l2_ext_control) * p->count;
> /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */
>
> Restricting v4l2_ext_controls::count to values smaller than KMALLOC_MAX_SIZE /
> sizeof(struct v4l2_ext_control) should be enough, but we might want to
> restrict the value even further. I'd like opinions on this.
One thing that could be done is to call access_ok() on the range before
kmalloc'ing a buffer. If p->count is too high, then it's possible that the
copy_from_user will fail because the process does not have the address
space to copy.
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
