From patchwork Thu Jul 20 12:02:09 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Prabhakar <prabhakar.csengg@gmail.com>
X-Patchwork-Id: 42685
X-Patchwork-Delegate: hverkuil@xs4all.nl
Received: from vger.kernel.org ([209.132.180.67])
	by www.linuxtv.org with esmtp (Exim 4.84_2)
	(envelope-from <linux-media-owner@vger.kernel.org>)
	id 1dYA9v-0000vu-Qg; Thu, 20 Jul 2017 12:02:24 +0000
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935490AbdGTMCU (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other);
	Thu, 20 Jul 2017 08:02:20 -0400
Received: from mail-wm0-f65.google.com ([74.125.82.65]:37446 "EHLO
	mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S934876AbdGTMCT (ORCPT
	<rfc822;linux-media@vger.kernel.org>);
	Thu, 20 Jul 2017 08:02:19 -0400
Received: by mail-wm0-f65.google.com with SMTP id m4so3283105wmi.4
	for <linux-media@vger.kernel.org>;
	Thu, 20 Jul 2017 05:02:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=GXKKpUFLTUOLznWPM0vXc4MlK5TFT8THxGYeAXCv7Ec=;
	b=OwbtkDKCTOGJ8EXxkMhrGCrTwdeSEoac1lB6tdY8Z2KFpzpJheques3KP9gB0vTQpy
	mzcQ3o+ShxJTRszbIVKusgQ9MpUCMy+IddGncZFJS6jcAc56f39/jR/WKtwvCaZ4M6EJ
	J3xwdzS9TG1cHXhEpKEHYBCKKLhXDjXXQiOGjUARWl2GY+UytTSb2FHqQMFfs3MEaqzv
	EjS6XQ/qHVisnSNjwbs4Gbs7OdKZipfb0H8tGAp61aBgmPRMdfBGLcku8TE4hIefp7Hx
	slKfD0rkBRlC/IPfoj7DxfI6V5l/Wha1AHQpUjLZomLYMe3Jrmn7NTx8WUARIiUoX3n4
	Q/Rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=GXKKpUFLTUOLznWPM0vXc4MlK5TFT8THxGYeAXCv7Ec=;
	b=CM9uN5obvJsEz3hgJb2dWrgCN//zRO/9UcTYISwrCUMp2/PJuMTTIHlD1g/k0JABMk
	5wt12YcvdSxNYLcwGnW3MM8XPv/eY5NyLylYd4un1CN5WjclSZGQXcvc7BU8Lr6Oc/gy
	SYGZx0T8qzBwvoD8L0gutX6duggcP/uXjaJS6NbujTp+m9w9xn0QcB/8OEDGeunzROay
	sc4hMy5P+8bUea3fKkuRehltyieEMTu9h5lAJPp9cbiCDzOg23/i6XghnZuheYLxmsPe
	Gzbu3kEY6t8Q7E2WRqwaxW2aBTg+98rctWVDPO626dIlYaO/iKoPZh6Hw6KZh/32iZs2
	8GEw==
X-Gm-Message-State: AIVw112Bwlo7f8/KZxA9PQifXCCUjFLBz2eWYNzQ0+NxP4epiY5ImcuG
	yBxNWTc7YmJVvNVO
X-Received: by 10.28.228.134 with SMTP id b128mr841334wmh.53.1500552137709;
	Thu, 20 Jul 2017 05:02:17 -0700 (PDT)
Received: from tango-charlie.RL.local ([194.75.40.178])
	by smtp.gmail.com with ESMTPSA id
	22sm8731003wru.29.2017.07.20.05.02.16
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 20 Jul 2017 05:02:17 -0700 (PDT)
From: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
To: LMML <linux-media@vger.kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>, Sekhar Nori <nsekhar@ti.com>,
	Hans Verkuil <hverkuil@xs4all.nl>
Subject: [v4] media: platform: davinci: return -EINVAL for
	VPFE_CMD_S_CCDC_RAW_PARAMS ioctl
Date: Thu, 20 Jul 2017 13:02:09 +0100
Message-Id: <1500552129-422-1-git-send-email-prabhakar.csengg@gmail.com>
X-Mailer: git-send-email 2.7.4
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org

this patch makes sure VPFE_CMD_S_CCDC_RAW_PARAMS ioctl no longer works
for vpfe_capture driver with a minimal patch suitable for backporting.

- This ioctl was never in public api and was only defined in kernel header.
- The function set_params constantly mixes up pointers and phys_addr_t
  numbers.
- This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is
  described as an 'experimental ioctl that will change in future kernels'.
- The code to allocate the table never gets called after we copy_from_user
  the user input over the kernel settings, and then compare them
  for inequality.
- We then go on to use an address provided by user space as both the
  __user pointer for input and pass it through phys_to_virt to come up
  with a kernel pointer to copy the data to. This looks like a trivially
  exploitable root hole.

Due to these reasons we make sure this ioctl now returns -EINVAL and backport
this patch as far as possible.

Fixes: 5f15fbb68fd7 ("V4L/DVB (12251): v4l: dm644x ccdc module for vpfe capture driver")
Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
---
 drivers/media/platform/davinci/vpfe_capture.c | 22 ++--------------------
 1 file changed, 2 insertions(+), 20 deletions(-)

diff --git a/drivers/media/platform/davinci/vpfe_capture.c b/drivers/media/platform/davinci/vpfe_capture.c
index e3fe3e0..1831bf5 100644
--- a/drivers/media/platform/davinci/vpfe_capture.c
+++ b/drivers/media/platform/davinci/vpfe_capture.c
@@ -1719,27 +1719,9 @@ static long vpfe_param_handler(struct file *file, void *priv,
 
 	switch (cmd) {
 	case VPFE_CMD_S_CCDC_RAW_PARAMS:
+		ret = -EINVAL;
 		v4l2_warn(&vpfe_dev->v4l2_dev,
-			  "VPFE_CMD_S_CCDC_RAW_PARAMS: experimental ioctl\n");
-		if (ccdc_dev->hw_ops.set_params) {
-			ret = ccdc_dev->hw_ops.set_params(param);
-			if (ret) {
-				v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
-					"Error setting parameters in CCDC\n");
-				goto unlock_out;
-			}
-			ret = vpfe_get_ccdc_image_format(vpfe_dev,
-							 &vpfe_dev->fmt);
-			if (ret < 0) {
-				v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
-					"Invalid image format at CCDC\n");
-				goto unlock_out;
-			}
-		} else {
-			ret = -EINVAL;
-			v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
-				"VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n");
-		}
+			"VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n");
 		break;
 	default:
 		ret = -ENOTTY;