diff mbox

[03/14] media: ov6650: Fix unverified arguments used in .set_fmt()

Message ID 20190408214242.9603-4-jmkrzyszt@gmail.com (mailing list archive)
State Changes Requested, archived
Delegated to: Sakari Ailus
Headers

Commit Message

Janusz Krzysztofik April 8, 2019, 9:42 p.m. UTC 
  Commit 717fd5b4907ad ("[media] v4l2: replace try_mbus_fmt by set_fmt")
converted a former ov6650_try_fmt() video operation callback to an
ov6650_set_fmt() pad operation callback.  However, the function does not
verify correctness of user provided format->which flag and pad config
pointer arguments.  Fix it.

Fixes: 717fd5b4907ad ("[media] v4l2: replace try_mbus_fmt by set_fmt")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Cc: stable@vger.kernel.org
---
 drivers/media/i2c/ov6650.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

Comments

Sakari Ailus April 30, 2019, 1:58 p.m. UTC | #1 
Hi Janusz,

On Mon, Apr 08, 2019 at 11:42:31PM +0200, Janusz Krzysztofik wrote:
> Commit 717fd5b4907ad ("[media] v4l2: replace try_mbus_fmt by set_fmt")
> converted a former ov6650_try_fmt() video operation callback to an
> ov6650_set_fmt() pad operation callback.  However, the function does not
> verify correctness of user provided format->which flag and pad config
> pointer arguments.  Fix it.
> 
> Fixes: 717fd5b4907ad ("[media] v4l2: replace try_mbus_fmt by set_fmt")
> Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
> Cc: stable@vger.kernel.org
> ---
>  drivers/media/i2c/ov6650.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c
> index 007f0ca24913..3062c9a6c57b 100644
> --- a/drivers/media/i2c/ov6650.c
> +++ b/drivers/media/i2c/ov6650.c
> @@ -679,6 +679,17 @@ static int ov6650_set_fmt(struct v4l2_subdev *sd,
>  	if (format->pad)
>  		return -EINVAL;
>  
> +	switch (format->which) {
> +	case V4L2_SUBDEV_FORMAT_ACTIVE:
> +		break;
> +	case V4L2_SUBDEV_FORMAT_TRY:
> +		if (cfg)
> +			break;
> +		/* fall through */
> +	default:
> +		return -EINVAL;
> +	}

For this to return an error, there would need to be a problem on the
caller's side. In other words, this isn't supposed to happen.

Instead of adding such checks to all drivers, I think they instead should
be added to the caller's side. The checks already exist for uAPI, but not
for other drivers.

The same applies to patches until 7th (including).

> +
>  	if (is_unscaled_ok(mf->width, mf->height, &priv->rect))
>  		v4l_bound_align_image(&mf->width, 2, W_CIF, 1,
>  				&mf->height, 2, H_CIF, 1, 0);
Janusz Krzysztofik May 7, 2019, 11:33 p.m. UTC | #2 
Hi Sakari,

Sorry for late answer, I've just found your message in Gmail spam folder.

On Tuesday, April 30, 2019 3:58:09 PM CEST Sakari Ailus wrote:
> Hi Janusz,
> 
> On Mon, Apr 08, 2019 at 11:42:31PM +0200, Janusz Krzysztofik wrote:
> > Commit 717fd5b4907ad ("[media] v4l2: replace try_mbus_fmt by set_fmt")
> > converted a former ov6650_try_fmt() video operation callback to an
> > ov6650_set_fmt() pad operation callback.  However, the function does not
> > verify correctness of user provided format->which flag and pad config
> > pointer arguments.  Fix it.
> > 
> > Fixes: 717fd5b4907ad ("[media] v4l2: replace try_mbus_fmt by set_fmt")
> > Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
> > Cc: stable@vger.kernel.org
> > ---
> >  drivers/media/i2c/ov6650.c | 11 +++++++++++
> >  1 file changed, 11 insertions(+)
> > 
> > diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c
> > index 007f0ca24913..3062c9a6c57b 100644
> > --- a/drivers/media/i2c/ov6650.c
> > +++ b/drivers/media/i2c/ov6650.c
> > @@ -679,6 +679,17 @@ static int ov6650_set_fmt(struct v4l2_subdev *sd,
> >  	if (format->pad)
> >  		return -EINVAL;
> >  
> > +	switch (format->which) {
> > +	case V4L2_SUBDEV_FORMAT_ACTIVE:
> > +		break;
> > +	case V4L2_SUBDEV_FORMAT_TRY:
> > +		if (cfg)
> > +			break;
> > +		/* fall through */
> > +	default:
> > +		return -EINVAL;
> > +	}
> 
> For this to return an error, there would need to be a problem on the
> caller's side. In other words, this isn't supposed to happen.

How about raising a bug if that happens nevertheless?

@@ -677,10 +677,20 @@ static int ov6650_set_fmt(struct v4l2_subdev *sd,
 	struct ov6650 *priv = to_ov6650(client);
 
 	if (format->pad)
 		return -EINVAL;
 
+	switch (format->which) {
+	case V4L2_SUBDEV_FORMAT_TRY:
+		BUG_ON(!cfg);
+		/* fall through */
+	case V4L2_SUBDEV_FORMAT_ACTIVE:
+		break;
+	default:
+		BUG();
+	}
+
 	if (is_unscaled_ok(mf->width, mf->height, &priv->rect))
 		v4l_bound_align_image(&mf->width, 2, W_CIF, 1,
 				&mf->height, 2, H_CIF, 1, 0);
 
 	mf->field = V4L2_FIELD_NONE;


Thanks,
Janusz

> 
> Instead of adding such checks to all drivers, I think they instead should
> be added to the caller's side. The checks already exist for uAPI, but not
> for other drivers.
> 
> The same applies to patches until 7th (including).
> 
> > +
> >  	if (is_unscaled_ok(mf->width, mf->height, &priv->rect))
> >  		v4l_bound_align_image(&mf->width, 2, W_CIF, 1,
> >  				&mf->height, 2, H_CIF, 1, 0);
> 
>
diff mbox

Patch

diff --git a/drivers/media/i2c/ov6650.c b/drivers/media/i2c/ov6650.c
index 007f0ca24913..3062c9a6c57b 100644
--- a/drivers/media/i2c/ov6650.c
+++ b/drivers/media/i2c/ov6650.c
@@ -679,6 +679,17 @@  static int ov6650_set_fmt(struct v4l2_subdev *sd,
 	if (format->pad)
 		return -EINVAL;
 
+	switch (format->which) {
+	case V4L2_SUBDEV_FORMAT_ACTIVE:
+		break;
+	case V4L2_SUBDEV_FORMAT_TRY:
+		if (cfg)
+			break;
+		/* fall through */
+	default:
+		return -EINVAL;
+	}
+
 	if (is_unscaled_ok(mf->width, mf->height, &priv->rect))
 		v4l_bound_align_image(&mf->width, 2, W_CIF, 1,
 				&mf->height, 2, H_CIF, 1, 0);