On 29/03/18 15:00, Mauro Carvalho Chehab wrote:
> Em Thu, 29 Mar 2018 10:40:23 +0200
> Hans Verkuil <hverkuil@xxxxxxxxx> escreveu:
>
>> Hi Mauro,
>>
>> On 28/03/18 19:59, Mauro Carvalho Chehab wrote:
>>> At put_v4l2_window32(), it tries to access kp->clips. However,
>>> kp points to an userspace pointer. So, it should be obtained
>>> via get_user(), otherwise it can OOPS:
>>>
>>
>> <snip>
>>
>>>
>>> cc: stable@xxxxxxxxxxxxxxx
>>> Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx>
>>> ---
>>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
>>> index 5198c9eeb348..4312935f1dfc 100644
>>> --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
>>> +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
>>> @@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user *kp,
>>> static int put_v4l2_window32(struct v4l2_window __user *kp,
>>> struct v4l2_window32 __user *up)
>>> {
>>> - struct v4l2_clip __user *kclips = kp->clips;
>>> + struct v4l2_clip __user *kclips;
>>> struct v4l2_clip32 __user *uclips;
>>> compat_caddr_t p;
>>> u32 clipcount;
>>> @@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user *kp,
>>> if (!clipcount)
>>> return 0;
>>>
>>> + if (get_user(kclips, &kp->clips))
>>> + return -EFAULT;
>>> if (get_user(p, &up->clips))
>>> return -EFAULT;
>>> uclips = compat_ptr(p);
>>>
>>
>> Reviewed-by: Hans Verkuil <hans.verkuil@xxxxxxxxx>
>>
>> I have no idea why I didn't find this when I tested this with v4l2-compliance,
>> but the code was certainly wrong.
>
> I built 4.16-rc4 with KASAN enabled. Perhaps, it won't OOPS without
> it. Yet, I doubt it would work without this fix.
I definitely did not have KASAN enabled when I tested this.
Regards,
Hans
>
>>
>> Thank you for debugging this!
>
> Anytime.
>
> Thanks,
> Mauro
>