Message ID | 1365739077-8740-1-git-send-email-sw0312.kim@samsung.com (mailing list archive) |
---|---|
State | Accepted, archived |
Headers |
Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.72) (envelope-from <linux-media-owner@vger.kernel.org>) id 1UQV7X-0007oR-Cy; Fri, 12 Apr 2013 05:57:51 +0200 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.75/mailfrontend-2) with esmtp id 1UQV7W-00016K-H2; Fri, 12 Apr 2013 05:57:51 +0200 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752280Ab3DLD5s (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Thu, 11 Apr 2013 23:57:48 -0400 Received: from mailout1.samsung.com ([203.254.224.24]:65132 "EHLO mailout1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751736Ab3DLD5r (ORCPT <rfc822;linux-media@vger.kernel.org>); Thu, 11 Apr 2013 23:57:47 -0400 Received: from epcpsbgr3.samsung.com (u143.gpu120.samsung.co.kr [203.254.230.143]) by mailout1.samsung.com (Oracle Communications Messaging Server 7u4-24.01 (7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTP id <0ML4002FWJ00JAD0@mailout1.samsung.com> for linux-media@vger.kernel.org; Fri, 12 Apr 2013 12:57:46 +0900 (KST) Received: from epcpsbgm1.samsung.com ( [172.20.52.112]) by epcpsbgr3.samsung.com (EPCPMTA) with SMTP id 1B.C4.05174.A3687615; Fri, 12 Apr 2013 12:57:46 +0900 (KST) X-AuditID: cbfee68f-b7f4a6d000001436-7f-5167863abf88 Received: from epmmp1.local.host ( [203.254.227.16]) by epcpsbgm1.samsung.com (EPCPMTA) with SMTP id 69.12.17838.93687615; Fri, 12 Apr 2013 12:57:46 +0900 (KST) Received: from localhost.localdomain ([10.90.8.56]) by mmp1.samsung.com (Oracle Communications Messaging Server 7u4-24.01 (7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTPA id <0ML400K7QJ072080@mmp1.samsung.com>; Fri, 12 Apr 2013 12:57:45 +0900 (KST) From: Seung-Woo Kim <sw0312.kim@samsung.com> To: linux-media@vger.kernel.org Cc: mchehab@redhat.com, m.szyprowski@samsung.com, pawel@osciak.com, kyungmin.park@samsung.com, sw0312.kim@samsung.com Subject: [PATCH] media: vb2: add length check for mmap Date: Fri, 12 Apr 2013 12:57:57 +0900 Message-id: <1365739077-8740-1-git-send-email-sw0312.kim@samsung.com> X-Mailer: git-send-email 1.7.4.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrILMWRmVeSWpSXmKPExsWyRsSkQNeqLT3QYPURDouzTW/YLXo2bGW1 WHvkLrvFnqOH2S2mvP3JbjFj8ks2BzaPx79esnm833eVzaNvyypGj8+b5AJYorhsUlJzMstS i/TtErgybqycyl5wlq1i8eHFzA2Mh1i7GDk5JARMJE4cP8EEYYtJXLi3nq2LkYtDSGApo8Th ztfMXYwcYEUHv+VCxBcxSsy8f4QFpEFIoJlJYsbDPBCbTUBHYv+S32BDRQTkJZ703mADsZkF yiVe7j8LtkBYwEziVt9bFpCZLAKqEjdmaoKEeQVcJdqX90LdoCCx4N5bNgj7N5vEnFu6IDaL gIDEt8mHWCDOkZXYdIAZokRS4uCKGywTGAUXMDKsYhRNLUguKE5KLzLWK07MLS7NS9dLzs/d xAgMztP/nvXvYLx7wPoQYzLQuInMUqLJ+cDgziuJNzQ2M7IwNTE1NjK3NCNNWEmcV63FOlBI ID2xJDU7NbUgtSi+qDQntfgQIxMHp1QD4zS1j0fUWtnPmTzv0Hj20MZ9ceYunnk6eqIPuW8W eWuFvblyvPR9yYJ917SETxeb9DnU3M9KKZ4tEeX5Z0KV87vgfDH2ZxULZFybrFcXeBzf1jVL quzRzz8f9xz/FxnDPvdfz9ZrxZOcpI9+c5aNXavgseV5pqcvl4xfRJneT0fZQ4K3qjYtUGIp zkg01GIuKk4EACEhlDFkAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrPIsWRmVeSWpSXmKPExsVy+t9jAV2rtvRAgzd/GC3ONr1ht+jZsJXV Yu2Ru+wWe44eZreY8vYnu8WMyS/ZHNg8Hv96yebxft9VNo++LasYPT5vkgtgiWpgtMlITUxJ LVJIzUvOT8nMS7dV8g6Od443NTMw1DW0tDBXUshLzE21VXLxCdB1y8wB2q6kUJaYUwoUCkgs LlbSt8M0ITTETdcCpjFC1zckCK7HyAANJKxhzLixcip7wVm2isWHFzM3MB5i7WLk4JAQMJE4 +C23i5ETyBSTuHBvPVsXIxeHkMAiRomZ94+wgCSEBJqZJGY8zAOx2QR0JPYv+c0KYosIyEs8 6b3BBmIzC5RLvNx/lgnEFhYwk7jV95YFZD6LgKrEjZmaIGFeAVeJ9uW9TBC7FCQW3HvLNoGR ewEjwypG0dSC5ILipPRcQ73ixNzi0rx0veT83E2M4OB/JrWDcWWDxSFGAQ5GJR7eF8LpgUKs iWXFlbmHGCU4mJVEeGP2pgUK8aYkVlalFuXHF5XmpBYfYkwGWj6RWUo0OR8YmXkl8YbGJmZG lkbmhhZGxuakCSuJ8x5otQ4UEkhPLEnNTk0tSC2C2cLEwSnVwLj30cZzLkJ7VlyXUNioK+b6 wHpmcY9G+q5jJ8Pf38/M+K6QGh+8UXWGqbRK72n1r7umP9hzQo9HaM2n6hbN/Y5GT/nvFJW/ n3jS/eWhpfIFUW/7gtW3K6kwxntPubR2fXTRN4nXRm+vZj3eU1P672aIope74ZYZ7f8fWcnG hq1N/nLJhlO4+qUSS3FGoqEWc1FxIgAxmj17wgIAAA== DLP-Filter: Pass X-MTR: 20000000000000000@CPGS X-CFilter-Loop: Reflected Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.4.12.34815 X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_1099 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __CP_URI_IN_BODY 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0, __MIME_TEXT_ONLY 0, __MULTIPLE_RCPTS_CC_X2 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_WWW 0, __URI_NS ' |
Commit Message
Seung-Woo Kim
April 12, 2013, 3:57 a.m. UTC
The length of mmap() can be bigger than length of vb2 buffer, so
it should be checked.
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
---
drivers/media/v4l2-core/videobuf2-core.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
Comments
On 4/12/2013 5:57 AM, Seung-Woo Kim wrote: > The length of mmap() can be bigger than length of vb2 buffer, so > it should be checked. > > Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> Acked-by: Marek Szyprowski <m.szyprowski@samsung.com> > --- > drivers/media/v4l2-core/videobuf2-core.c | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c > index db1235d..2c6ff2d 100644 > --- a/drivers/media/v4l2-core/videobuf2-core.c > +++ b/drivers/media/v4l2-core/videobuf2-core.c > @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma) > > vb = q->bufs[buffer]; > > + if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) { > + dprintk(1, "Invalid length\n"); > + return -EINVAL; > + } > + > ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma); > if (ret) > return ret; Best regards
On Friday 12 April 2013 08:03:15 Marek Szyprowski wrote: > On 4/12/2013 5:57 AM, Seung-Woo Kim wrote: > > The length of mmap() can be bigger than length of vb2 buffer, so > > it should be checked. > > > > Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> > > Acked-by: Marek Szyprowski <m.szyprowski@samsung.com> This should be pushed to the stable kernels, as it's a potential security issue. > > --- > > > > drivers/media/v4l2-core/videobuf2-core.c | 5 +++++ > > 1 files changed, 5 insertions(+), 0 deletions(-) > > > > diff --git a/drivers/media/v4l2-core/videobuf2-core.c > > b/drivers/media/v4l2-core/videobuf2-core.c index db1235d..2c6ff2d 100644 > > --- a/drivers/media/v4l2-core/videobuf2-core.c > > +++ b/drivers/media/v4l2-core/videobuf2-core.c > > @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct > > vm_area_struct *vma)> > > vb = q->bufs[buffer]; > > > > + if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) { > > + dprintk(1, "Invalid length\n"); > > + return -EINVAL; > > + } > > + > > > > ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma); > > if (ret) > > > > return ret;
Oops, there is a issue. vb2-core does not PAGE_ALIGN to length of buffer, but mmap() always do PAGE_ALIGN to its length. So non PAGE_ALIGN length of buffer from driver side can not mmaped with this patch. On 2013? 04? 12? 15:03, Marek Szyprowski wrote: > > On 4/12/2013 5:57 AM, Seung-Woo Kim wrote: >> The length of mmap() can be bigger than length of vb2 buffer, so >> it should be checked. >> >> Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> > > Acked-by: Marek Szyprowski <m.szyprowski@samsung.com> > >> --- >> drivers/media/v4l2-core/videobuf2-core.c | 5 +++++ >> 1 files changed, 5 insertions(+), 0 deletions(-) >> >> diff --git a/drivers/media/v4l2-core/videobuf2-core.c >> b/drivers/media/v4l2-core/videobuf2-core.c >> index db1235d..2c6ff2d 100644 >> --- a/drivers/media/v4l2-core/videobuf2-core.c >> +++ b/drivers/media/v4l2-core/videobuf2-core.c >> @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct >> vm_area_struct *vma) >> vb = q->bufs[buffer]; >> + if (vb->v4l2_planes[plane].length < (vma->vm_end - >> vma->vm_start)) { >> + dprintk(1, "Invalid length\n"); >> + return -EINVAL; >> + } >> + >> ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma); >> if (ret) >> return ret; > > Best regards
diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c index db1235d..2c6ff2d 100644 --- a/drivers/media/v4l2-core/videobuf2-core.c +++ b/drivers/media/v4l2-core/videobuf2-core.c @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma) vb = q->bufs[buffer]; + if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) { + dprintk(1, "Invalid length\n"); + return -EINVAL; + } + ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma); if (ret) return ret;