Re: [PATCH v4 5/8] media: v4l2-core: fix VIDIOC_DQEVENT for time64 ABI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/26/19 3:43 PM, Arnd Bergmann wrote:
> On Mon, Nov 25, 2019 at 3:40 PM Hans Verkuil <hverkuil@xxxxxxxxx> wrote:
>> On 11/11/19 9:38 PM, Arnd Bergmann wrote:
> 
>>>       switch (cmd) {
>>> +#ifdef CONFIG_COMPAT_32BIT_TIME
>>> +     case VIDIOC_DQEVENT_TIME32: {
>>> +             struct v4l2_event_time32 ev32;
>>> +             struct v4l2_event *ev = parg;
>>> +
>>> +             memcpy(&ev32, ev, offsetof(struct v4l2_event, timestamp));
>>> +             ev32.timestamp.tv_sec = ev->timestamp.tv_sec;
>>> +             ev32.timestamp.tv_nsec = ev->timestamp.tv_nsec;
>>> +             memcpy(&ev32.id, &ev->id, sizeof(*ev) - offsetof(struct v4l2_event, id));
>>
>> This looks dangerous: due to 64-bit alignment requirements the
>> v4l2_event struct may end with a 4-byte hole at the end of the struct,
>> which you do not want to copy to ev32.
>>
>> I think it is safer to just copy id and reserved separately:
>>
>>                 ev32.id = ev->id;
>>                 memcpy(ev32.reserved, ev->reserved, sizeof(ev->reserved));
> 
> Actually I think it's that's also bad: The padding in *ev must already be
> cleared here (otherwise there is a leak of stack data in the kernel
> already), so  *not* copying the padding requires at least adding a memset
> upfront.
> 
> I would do the per-member copy like I did for v4l2_buffer in my
> other reply:
> 
>                 struct v4l2_event *ev = parg;
>                 struct v4l2_event_time32 ev32 = {
>                         .type           = ev->type,
>                         .pending        = ev->pending,
>                         .sequence       = ev->sequence,
>                         .timestamp.tv_sec  = ev->timestamp.tv_sec,
>                         .timestamp.tv_nsec = ev->timestamp.tv_nsec,
>                         .id             = ev->id,
>                 };
> 
>                 memcpy(ev32.u, ev->u, sizeof(ev->u));
>                 memcpy(ev32.reserved, ev->reserved, sizeof(ev->reserved));
> 
>                 if (copy_to_user(arg, &ev32, sizeof(ev32)))
>                         return -EFAULT;
> 
> Unfortunately this is a little uglier because it still requires the two
> memcpy() for the arrays, but I think it's good enough.

I agree.

Hmm, can't you do .u = ev->u ? Or is that not allowed by this syntax?

> 
> Any other ideas? Let me know if I should do a memset()
> plus individual member copy instead.

I think we have to, unless you have a better solution. This is leaking
information from the holes in the struct.

>>> +             if (!(sd->flags & V4L2_SUBDEV_FL_HAS_EVENTS))
>>> +                     return -ENOIOCTLCMD;
>>> +
>>> +             rval = v4l2_event_dequeue(vfh, &ev, file->f_flags & O_NONBLOCK);
>>> +
>>> +             memcpy(ev32, &ev, offsetof(struct v4l2_event, timestamp));
>>> +             ev32->timestamp.tv_sec = ev.timestamp.tv_sec;
>>> +             ev32->timestamp.tv_nsec = ev.timestamp.tv_nsec;
>>> +             memcpy(&ev32->id, &ev.id,
>>> +                    sizeof(ev) - offsetof(struct v4l2_event, id));
>>
>> Ditto.
> 
> Using the corresponding code here as well.
> 
>>> +
>>>  #define V4L2_EVENT_SUB_FL_SEND_INITIAL               (1 << 0)
>>>  #define V4L2_EVENT_SUB_FL_ALLOW_FEEDBACK     (1 << 1)
>>>
>>> @@ -2486,6 +2515,7 @@ struct v4l2_create_buffers {
>>>  #define      VIDIOC_S_DV_TIMINGS     _IOWR('V', 87, struct v4l2_dv_timings)
>>>  #define      VIDIOC_G_DV_TIMINGS     _IOWR('V', 88, struct v4l2_dv_timings)
>>>  #define      VIDIOC_DQEVENT           _IOR('V', 89, struct v4l2_event)
>>> +#define      VIDIOC_DQEVENT_TIME32    _IOR('V', 89, struct v4l2_event_time32)
>>
>> Shouldn't this be under #ifdef __KERNEL__?
>>
>> And should this be in the public header at all? media/v4l2-ioctl.h might be a better
>> place.
> 
> Done.
> 
>        Arnd
> 

Regards,

	Hans



[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]

  Powered by Linux