| Message ID | Pine.LNX.4.64.1404141545280.23631@axis700.grange (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers |
Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.72) (envelope-from <linux-media-owner@vger.kernel.org>) id 1WZhGe-0004El-EZ; Mon, 14 Apr 2014 15:49:48 +0200 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.72/mailfrontend-6) with esmtp id 1WZhGc-00050o-4M; Mon, 14 Apr 2014 15:49:48 +0200 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755231AbaDNNtk (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Mon, 14 Apr 2014 09:49:40 -0400 Received: from moutng.kundenserver.de ([212.227.126.131]:63765 "EHLO moutng.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755006AbaDNNth (ORCPT <rfc822;linux-media@vger.kernel.org>); Mon, 14 Apr 2014 09:49:37 -0400 Received: from axis700.grange (dslb-094-221-104-164.pools.arcor-ip.net [94.221.104.164]) by mrelayeu.kundenserver.de (node=mreue004) with ESMTP (Nemesis) id 0MbLRw-1WJ7md0hyG-00IhkI; Mon, 14 Apr 2014 15:49:35 +0200 Received: by axis700.grange (Postfix, from userid 1000) id BFA4940BDB; Mon, 14 Apr 2014 15:49:34 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by axis700.grange (Postfix) with ESMTP id B584640BD9; Mon, 14 Apr 2014 15:49:34 +0200 (CEST) Date: Mon, 14 Apr 2014 15:49:34 +0200 (CEST) From: Guennadi Liakhovetski <g.liakhovetski@gmx.de> X-X-Sender: lyakh@axis700.grange To: Linux Media Mailing List <linux-media@vger.kernel.org> cc: Jonathan Corbet <corbet@lwn.net>, Daniel Drake <dsd@laptop.org> Subject: [PATCH] V4L2: ov7670: fix a wrong index, potentially Oopsing the kernel from user-space Message-ID: <Pine.LNX.4.64.1404141545280.23631@axis700.grange> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Provags-ID: V02:K0:BvZNgJJFlrHvVtdF+i668QsXNDy3XdeGH11um6VqwPM N4HFE7f0aPXEbOttNTHMxZ5KJv4jzre2N2/L7ltN6tOaGalvgp yUuTRg58f8h+13x2m4CPsYheEE7v+b+0M4WRdUdUeFFubEqGK/ ne0HDsPYNoRL5ee7IcnWeLkk0M3Q2cbKP9knFEpCZvuGjgqT7/ ytvB/VNlWqdoIaRq3/A+8Jg0qKnttw/Hveh/5PZdxnCWcQPnoC hU4wiFRyF6vQHP0gW9nKTCk++tWvzgYx3B1Lnj1ttBP7ChaIfV 4rfotVL3KJmDHyh2oBnbayEQvKPocFuN6Bape9L96EXPULeJsT u+DZj9vaF61eiELaB9ZagVOIho0gVL0pmQgp3QCK/yNDS/dc+5 YAQ4xdaUygu5w== Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2014.4.14.134221 X-PMX-Spam: Gauge=IIIIIIIII, Probability=9%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, MSGID_ADDED_BY_MTA 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1600_1699 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __CP_MEDIA_BODY 0, __CP_URI_IN_BODY 0, __CT 0, __CT_TEXT_PLAIN 0, __FRAUD_BODY_WEBMAIL 0, __FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILING_LIST 0, __INT_PROD_COMP 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MULTIPLE_RCPTS_CC_X2 0, __PHISH_SPEAR_STRUCTURE_1 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __URI_NO_WWW 0, __URI_NS ' |
Commit Message
Guennadi Liakhovetski
April 14, 2014, 1:49 p.m. UTC
Commit 75e2bdad8901a0b599e01a96229be922eef1e488 "ov7670: allow
configuration of image size, clock speed, and I/O method" uses a wrong
index to iterate an array. Apart from being wrong, it also uses an
unchecked value from user-space, which can cause access to unmapped
memory in the kernel, triggered by a normal desktop user with rights to
use V4L2 devices.
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
---
Jonathan,
I'd prefer to first post it to the lists to maybe have someone test it ;)
Otherwise - I've got a couple more fixes for 3.15, which I hope to make
ready and push in a couple of weeks... So, with your ack I can take this
one too, or, if you prefer to push it earlier - would be good too.
drivers/media/i2c/ov7670.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Mon, 14 Apr 2014 15:49:34 +0200 (CEST) Guennadi Liakhovetski <g.liakhovetski@gmx.de> wrote: > I'd prefer to first post it to the lists to maybe have someone test it ;) > Otherwise - I've got a couple more fixes for 3.15, which I hope to make > ready and push in a couple of weeks... So, with your ack I can take this > one too, or, if you prefer to push it earlier - would be good too. Unfortunately, my machines that could test this are a couple thousand miles away, and that situation isn't going to change anytime soon. It looks clearly more correct than what was there before, though, so feel free to add my ack to it. Thanks, jon -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Guennadi, On Monday 14 April 2014 15:49:34 Guennadi Liakhovetski wrote: > Commit 75e2bdad8901a0b599e01a96229be922eef1e488 "ov7670: allow > configuration of image size, clock speed, and I/O method" uses a wrong > index to iterate an array. Apart from being wrong, it also uses an > unchecked value from user-space, which can cause access to unmapped > memory in the kernel, triggered by a normal desktop user with rights to > use V4L2 devices. > > Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de> > --- > > Jonathan, > I'd prefer to first post it to the lists to maybe have someone test it ;) > Otherwise - I've got a couple more fixes for 3.15, which I hope to make > ready and push in a couple of weeks... So, with your ack I can take this > one too, or, if you prefer to push it earlier - would be good too. What's your plan for this patch ? Will you send a pull request ? Alternatively I can take it in my tree. > drivers/media/i2c/ov7670.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c > index e8a1ce2..cdd7c1b 100644 > --- a/drivers/media/i2c/ov7670.c > +++ b/drivers/media/i2c/ov7670.c > @@ -1109,7 +1109,7 @@ static int ov7670_enum_framesizes(struct v4l2_subdev > *sd, * windows that fall outside that. > */ > for (i = 0; i < n_win_sizes; i++) { > - struct ov7670_win_size *win = &info->devtype->win_sizes[index]; > + struct ov7670_win_size *win = &info->devtype->win_sizes[i]; > if (info->min_width && win->width < info->min_width) > continue; > if (info->min_height && win->height < info->min_height)
Hi Laurent, On Tue, 13 May 2014, Laurent Pinchart wrote: > Hi Guennadi, > > On Monday 14 April 2014 15:49:34 Guennadi Liakhovetski wrote: > > Commit 75e2bdad8901a0b599e01a96229be922eef1e488 "ov7670: allow > > configuration of image size, clock speed, and I/O method" uses a wrong > > index to iterate an array. Apart from being wrong, it also uses an > > unchecked value from user-space, which can cause access to unmapped > > memory in the kernel, triggered by a normal desktop user with rights to > > use V4L2 devices. > > > > Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de> > > --- > > > > Jonathan, > > I'd prefer to first post it to the lists to maybe have someone test it ;) > > Otherwise - I've got a couple more fixes for 3.15, which I hope to make > > ready and push in a couple of weeks... So, with your ack I can take this > > one too, or, if you prefer to push it earlier - would be good too. > > What's your plan for this patch ? Will you send a pull request ? Alternatively > I can take it in my tree. https://patchwork.linuxtv.org/patch/23815/ Thanks Guennadi > > > drivers/media/i2c/ov7670.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c > > index e8a1ce2..cdd7c1b 100644 > > --- a/drivers/media/i2c/ov7670.c > > +++ b/drivers/media/i2c/ov7670.c > > @@ -1109,7 +1109,7 @@ static int ov7670_enum_framesizes(struct v4l2_subdev > > *sd, * windows that fall outside that. > > */ > > for (i = 0; i < n_win_sizes; i++) { > > - struct ov7670_win_size *win = &info->devtype->win_sizes[index]; > > + struct ov7670_win_size *win = &info->devtype->win_sizes[i]; > > if (info->min_width && win->width < info->min_width) > > continue; > > if (info->min_height && win->height < info->min_height) > > -- > Regards, > > Laurent Pinchart > --- Guennadi Liakhovetski, Ph.D. Freelance Open-Source Software Developer http://www.open-technology.de/ -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Guennadi, On Tuesday 13 May 2014 14:31:25 Guennadi Liakhovetski wrote: > On Tue, 13 May 2014, Laurent Pinchart wrote: > > On Monday 14 April 2014 15:49:34 Guennadi Liakhovetski wrote: > > > Commit 75e2bdad8901a0b599e01a96229be922eef1e488 "ov7670: allow > > > configuration of image size, clock speed, and I/O method" uses a wrong > > > index to iterate an array. Apart from being wrong, it also uses an > > > unchecked value from user-space, which can cause access to unmapped > > > memory in the kernel, triggered by a normal desktop user with rights to > > > use V4L2 devices. > > > > > > Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de> > > > --- > > > > > > Jonathan, > > > I'd prefer to first post it to the lists to maybe have someone test it > > > ;) > > > Otherwise - I've got a couple more fixes for 3.15, which I hope to make > > > ready and push in a couple of weeks... So, with your ack I can take this > > > one too, or, if you prefer to push it earlier - would be good too. > > > > What's your plan for this patch ? Will you send a pull request ? > > Alternatively I can take it in my tree. > > https://patchwork.linuxtv.org/patch/23815/ Sorry for missing that. I'll mark https://patchwork.linuxtv.org/patch/23599/ as accepted then. > > > drivers/media/i2c/ov7670.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c > > > index e8a1ce2..cdd7c1b 100644 > > > --- a/drivers/media/i2c/ov7670.c > > > +++ b/drivers/media/i2c/ov7670.c > > > @@ -1109,7 +1109,7 @@ static int ov7670_enum_framesizes(struct > > > v4l2_subdev > > > *sd, * windows that fall outside that. > > > > > > */ > > > > > > for (i = 0; i < n_win_sizes; i++) { > > > > > > - struct ov7670_win_size *win = &info->devtype->win_sizes[index]; > > > + struct ov7670_win_size *win = &info->devtype->win_sizes[i]; > > > > > > if (info->min_width && win->width < info->min_width) > > > > > > continue; > > > > > > if (info->min_height && win->height < info->min_height)
diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c index e8a1ce2..cdd7c1b 100644 --- a/drivers/media/i2c/ov7670.c +++ b/drivers/media/i2c/ov7670.c @@ -1109,7 +1109,7 @@ static int ov7670_enum_framesizes(struct v4l2_subdev *sd, * windows that fall outside that. */ for (i = 0; i < n_win_sizes; i++) { - struct ov7670_win_size *win = &info->devtype->win_sizes[index]; + struct ov7670_win_size *win = &info->devtype->win_sizes[i]; if (info->min_width && win->width < info->min_width) continue; if (info->min_height && win->height < info->min_height)