From 8576feebaf688dadf0548b9a16d2b90b76ed714c Mon Sep 17 00:00:00 2001 From: Trishansh Bhardwaj Date: Tue, 18 Apr 2017 14:44:43 +0530 Subject: msm: camera: Fix kernel overwrite GET_BUF_BY_IDX ioctl Assign address of buf_info into ioctl_ptr. Previously we were copying first 8 bytes of buf_info (content) into ioctl_ptr. Which is dereferenced and written later causing kernel overwrite vulnerability. Change-Id: Ie5deae249da8208523027f8ec5632f960757e9bd Signed-off-by: Trishansh Bhardwaj --- drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c index 882ab03..d0b265a 100644 --- a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c +++ b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c @@ -554,8 +554,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, sizeof(struct msm_buf_mngr_info))) { return -EFAULT; } - MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr, - &buf_info, sizeof(void *)); + k_ioctl.ioctl_ptr = (uintptr_t)&buf_info; argp = &k_ioctl; rc = msm_cam_buf_mgr_ops(cmd, argp); } -- cgit v1.1