From patchwork Thu Jul 20 08:56:30 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Prabhakar X-Patchwork-Id: 42680 X-Patchwork-Delegate: hverkuil@xs4all.nl Received: from vger.kernel.org ([209.132.180.67]) by www.linuxtv.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dY7GR-000520-DN; Thu, 20 Jul 2017 08:56:55 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964822AbdGTI4t (ORCPT + 1 other); Thu, 20 Jul 2017 04:56:49 -0400 Received: from mail-wr0-f196.google.com ([209.85.128.196]:34281 "EHLO mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964820AbdGTI4n (ORCPT ); Thu, 20 Jul 2017 04:56:43 -0400 Received: by mail-wr0-f196.google.com with SMTP id o33so2309529wrb.1 for ; Thu, 20 Jul 2017 01:56:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=n28Ytqw/BDvd/fBWH+xe6/W4mGyLafdNJHZuEN3286M=; b=I4XtnFra5iQlfV5HWU0ZGhR1+UlkJ76WlFhblGJ/1Xhd2GKWJzekZz9wX0aJ7YKLIz N7FCDnXS0UBdZ/JfhJbWFCo+IfCG7nWGqDgY3mEr8gCVV+KP31Kpn09x0qdMu5HFS32u 4SvE+MnYF5HguuDlkDR0Vl36/NaBojEZtbGfFRxAbcDQRhquxoZrgffPK0CMRqMY1xWz 2fM665YPgtGNQKlgAuXcY695fdJ88kLjXeBltFETvNOEoycLHbnY8DVsyNvzWPyw10RY oPklD3SXD+cZiHopCS0ld1xjS0i0QnxMoelvoYPkWxJ+hHnqbJBXmbsAs2TXzXrmOJKk HGlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=n28Ytqw/BDvd/fBWH+xe6/W4mGyLafdNJHZuEN3286M=; b=kM4pVwLLKBYTULzELExarLClYCmxQqAuFmA2BOF/DC7/qU7n9zIg1OFkdG0YFmO5dJ ZnEvLdwZL5UUV89hnHThUU310l9P6D/RaU6MZ7WqYYobpnoGiwv70+IRlS861OrjLpHQ 5mgpYgUuI8l6iSSxNqUXOQ0YqBlHfwD+ZPrNgOsPCnya/VxvXSdm2pSq8VzFTc+Dy14b ZlvYFPt+7e5aEROUL1JAnRNeoPRDIVTYjsWDXOCo0m0fRbLYVjAEL0uLhZD2KjlrwwKk Qkt1rXbP3zSLKTMauVIYHay7KNWIp4D+wLuyVysclgmadQu/fBMKOm+T88Y0WavNWzcy g5cQ== X-Gm-Message-State: AIVw112XqPk8Ee/kHogQDgo8qcmOBlCOaJN8hhxwPOCNkQIxpXiAPha5 a4pIMRupxFF9yzxI X-Received: by 10.223.177.214 with SMTP id r22mr5938516wra.59.1500541002446; Thu, 20 Jul 2017 01:56:42 -0700 (PDT) Received: from tango-charlie.RL.local ([194.75.40.178]) by smtp.gmail.com with ESMTPSA id k45sm5986635wrk.45.2017.07.20.01.56.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 20 Jul 2017 01:56:41 -0700 (PDT) From: "Lad, Prabhakar" To: LMML Cc: Arnd Bergmann , Sekhar Nori , Hans Verkuil Subject: [v3 1/2] media: platform: davinci: prepare for removal of VPFE_CMD_S_CCDC_RAW_PARAMS ioctl Date: Thu, 20 Jul 2017 09:56:30 +0100 Message-Id: <1500540991-27430-2-git-send-email-prabhakar.csengg@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1500540991-27430-1-git-send-email-prabhakar.csengg@gmail.com> References: <1500540991-27430-1-git-send-email-prabhakar.csengg@gmail.com> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org preparing for removal of VPFE_CMD_S_CCDC_RAW_PARAMS ioctl from davicni vpfe_capture driver because of following reasons: - This ioctl was never in public api and was only defined in kernel header. - The function set_params constantly mixes up pointers and phys_addr_t numbers. - This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is described as an 'experimental ioctl that will change in future kernels'. - The code to allocate the table never gets called after we copy_from_user the user input over the kernel settings, and then compare them for inequality. - We then go on to use an address provided by user space as both the __user pointer for input and pass it through phys_to_virt to come up with a kernel pointer to copy the data to. This looks like a trivially exploitable root hole. Fixes: 5f15fbb68fd7 ("V4L/DVB (12251): v4l: dm644x ccdc module for vpfe capture driver") Signed-off-by: Lad, Prabhakar --- drivers/media/platform/davinci/vpfe_capture.c | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/drivers/media/platform/davinci/vpfe_capture.c b/drivers/media/platform/davinci/vpfe_capture.c index e3fe3e0..1831bf5 100644 --- a/drivers/media/platform/davinci/vpfe_capture.c +++ b/drivers/media/platform/davinci/vpfe_capture.c @@ -1719,27 +1719,9 @@ static long vpfe_param_handler(struct file *file, void *priv, switch (cmd) { case VPFE_CMD_S_CCDC_RAW_PARAMS: + ret = -EINVAL; v4l2_warn(&vpfe_dev->v4l2_dev, - "VPFE_CMD_S_CCDC_RAW_PARAMS: experimental ioctl\n"); - if (ccdc_dev->hw_ops.set_params) { - ret = ccdc_dev->hw_ops.set_params(param); - if (ret) { - v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, - "Error setting parameters in CCDC\n"); - goto unlock_out; - } - ret = vpfe_get_ccdc_image_format(vpfe_dev, - &vpfe_dev->fmt); - if (ret < 0) { - v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, - "Invalid image format at CCDC\n"); - goto unlock_out; - } - } else { - ret = -EINVAL; - v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, - "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); - } + "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); break; default: ret = -ENOTTY;