Hi Mauro,
On 28/03/18 19:59, Mauro Carvalho Chehab wrote:
> At put_v4l2_window32(), it tries to access kp->clips. However,
> kp points to an userspace pointer. So, it should be obtained
> via get_user(), otherwise it can OOPS:
>
<snip>
>
> cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx>
> ---
> drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> index 5198c9eeb348..4312935f1dfc 100644
> --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> @@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user *kp,
> static int put_v4l2_window32(struct v4l2_window __user *kp,
> struct v4l2_window32 __user *up)
> {
> - struct v4l2_clip __user *kclips = kp->clips;
> + struct v4l2_clip __user *kclips;
> struct v4l2_clip32 __user *uclips;
> compat_caddr_t p;
> u32 clipcount;
> @@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user *kp,
> if (!clipcount)
> return 0;
>
> + if (get_user(kclips, &kp->clips))
> + return -EFAULT;
> if (get_user(p, &up->clips))
> return -EFAULT;
> uclips = compat_ptr(p);
>
Reviewed-by: Hans Verkuil <hans.verkuil@xxxxxxxxx>
I have no idea why I didn't find this when I tested this with v4l2-compliance,
but the code was certainly wrong.
Thank you for debugging this!
Regards,
Hans
