On Friday 12 April 2013 08:03:15 Marek Szyprowski wrote:
> On 4/12/2013 5:57 AM, Seung-Woo Kim wrote:
> > The length of mmap() can be bigger than length of vb2 buffer, so
> > it should be checked.
> >
> > Signed-off-by: Seung-Woo Kim <sw0312.kim@xxxxxxxxxxx>
>
> Acked-by: Marek Szyprowski <m.szyprowski@xxxxxxxxxxx>
This should be pushed to the stable kernels, as it's a potential security
issue.
> > ---
> >
> > drivers/media/v4l2-core/videobuf2-core.c | 5 +++++
> > 1 files changed, 5 insertions(+), 0 deletions(-)
> >
> > diff --git a/drivers/media/v4l2-core/videobuf2-core.c
> > b/drivers/media/v4l2-core/videobuf2-core.c index db1235d..2c6ff2d 100644
> > --- a/drivers/media/v4l2-core/videobuf2-core.c
> > +++ b/drivers/media/v4l2-core/videobuf2-core.c
> > @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct
> > vm_area_struct *vma)>
> > vb = q->bufs[buffer];
> >
> > + if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) {
> > + dprintk(1, "Invalid length\n");
> > + return -EINVAL;
> > + }
> > +
> >
> > ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma);
> > if (ret)
> >
> > return ret;
--
Regards,
Laurent Pinchart
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
