Em Thu, 29 Mar 2018 10:40:23 +0200
Hans Verkuil <hverkuil@xxxxxxxxx> escreveu:
> Hi Mauro,
>
> On 28/03/18 19:59, Mauro Carvalho Chehab wrote:
> > At put_v4l2_window32(), it tries to access kp->clips. However,
> > kp points to an userspace pointer. So, it should be obtained
> > via get_user(), otherwise it can OOPS:
> >
>
> <snip>
>
> >
> > cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx>
> > ---
> > drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> > index 5198c9eeb348..4312935f1dfc 100644
> > --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> > +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> > @@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user *kp,
> > static int put_v4l2_window32(struct v4l2_window __user *kp,
> > struct v4l2_window32 __user *up)
> > {
> > - struct v4l2_clip __user *kclips = kp->clips;
> > + struct v4l2_clip __user *kclips;
> > struct v4l2_clip32 __user *uclips;
> > compat_caddr_t p;
> > u32 clipcount;
> > @@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user *kp,
> > if (!clipcount)
> > return 0;
> >
> > + if (get_user(kclips, &kp->clips))
> > + return -EFAULT;
> > if (get_user(p, &up->clips))
> > return -EFAULT;
> > uclips = compat_ptr(p);
> >
>
> Reviewed-by: Hans Verkuil <hans.verkuil@xxxxxxxxx>
>
> I have no idea why I didn't find this when I tested this with v4l2-compliance,
> but the code was certainly wrong.
I built 4.16-rc4 with KASAN enabled. Perhaps, it won't OOPS without
it. Yet, I doubt it would work without this fix.
>
> Thank you for debugging this!
Anytime.
Thanks,
Mauro
