Received: by 10.223.185.116 with SMTP id b49csp6343865wrg; Wed, 28 Feb 2018 07:55:22 -0800 (PST) X-Google-Smtp-Source: AG47ELtp3HIYWt37F4z+G0mLZslc4hTjU3OMw+gEVc6F/fQ8i0nOmq+2NovBWZgdjH+fLI9wD3tE X-Received: by 10.99.108.199 with SMTP id h190mr402750pgc.295.1519833322219; Wed, 28 Feb 2018 07:55:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519833322; cv=none; d=google.com; s=arc-20160816; b=v7gTVATD4VdqEmHzSt2awswz4V6zZDEdJjXypp3nPuw6BYUcRv7bGfCx3JCANjxKS4 ZYoLtCP5s1jk/x/lRxY68ZauQ17H9sd4gLD4nzr89grXLnqnTNUYdkiuUj2QZRvjv3eI 13Y40Xd2aYTTtDNIrENNSOCXzE416C0xc/B3s3wOp4wUERLIFoL753wb2YNgp22lntrp HVfuyo5KCj7ngd6cyESiHnYxFJJLwATv50a2WWlvKDXot76/9ZmS5V3jQXBp0C1SIvL4 /vcV+ek8OeAx1w0rtdbuAC7tpDpzxAx6jDHR8dA/A4MhpSFc+JYierV64myXxPX/aahP LJnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=wC7Y2Tzx/77Xnk6FuQ0AdfX9m52ihDKEyxrBK6UVifA=; b=oHUKXkL32/sifhJWXeNngxdH91fVQvcbTCLoKuwuS56cL/CC3otQoMaGxdu8u06EyF InC2LUM99TTA0qkydZtw+shKwG573yoECh6OH/t/7Rj7kkJJsMwaAeeTw9uibOyhx7SQ Qy20P790L/L0FPUFCwGoKz39kaTRp+7ZYmd/T0q+d8AGE70wM2tUCEfQLVjPCgU+nKVo qYzLrl4kkvV4i9dzB7gKs3s7iyfmQUdn6p6aGidoEn7z1w1cy+Hv23WWuhoWiNnMkYJ2 dIWaH+D5TAH0yzDKbJ5/r8sivpSYyC7NBD3ukrXbuGAxsiUipMUWNFNYaxTQuc++iqKw bJ9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s9si1157021pgr.617.2018.02.28.07.55.07; Wed, 28 Feb 2018 07:55:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934076AbeB1Py3 (ORCPT + 99 others); Wed, 28 Feb 2018 10:54:29 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34459 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933777AbeB1Pxd (ORCPT ); Wed, 28 Feb 2018 10:53:33 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Ym-0006kw-IJ; Wed, 28 Feb 2018 15:22:25 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yk-0000Iv-OW; Wed, 28 Feb 2018 15:22:22 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Mauro Carvalho Chehab" , "Laurent Pinchart" , "Guennadi Liakhovetski" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 236/254] [media] V4L2: fix VIDIOC_CREATE_BUFS 32-bit compatibility mode data copy-back In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Guennadi Liakhovetski commit 6ed9b28504326f8cf542e6b68245b2f7ce009216 upstream. Similar to an earlier patch, fixing reading user-space data for the VIDIOC_CREATE_BUFS ioctl() in 32-bit compatibility mode, this patch fixes writing back of the possibly modified struct to the user. However, unlike the former bug, this one is much less harmful, because it only results in the kernel failing to write the .type field back to the user, but in fact this is likely unneeded, because the kernel will hardly want to change that field. Therefore this bug is more of a theoretical nature. Signed-off-by: Guennadi Liakhovetski Acked-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings --- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c @@ -222,6 +222,9 @@ static int get_v4l2_create32(struct v4l2 static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) { + if (put_user(kp->type, &up->type)) + return -EFAULT; + switch (kp->type) { case V4L2_BUF_TYPE_VIDEO_CAPTURE: case V4L2_BUF_TYPE_VIDEO_OUTPUT: @@ -248,8 +251,7 @@ static int __put_v4l2_format32(struct v4 static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) { - if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32)) || - put_user(kp->type, &up->type)) + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32))) return -EFAULT; return __put_v4l2_format32(kp, up); } @@ -257,8 +259,8 @@ static int put_v4l2_format32(struct v4l2 static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) { if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) || - copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format.fmt))) - return -EFAULT; + copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format))) + return -EFAULT; return __put_v4l2_format32(&kp->format, &up->format); }