DivestOS/Patches/Linux_CVEs/CVE-2017-8261/3.18/0002.patch
2017-11-07 21:38:42 -05:00

34 lines
1.3 KiB
Diff

From 8576feebaf688dadf0548b9a16d2b90b76ed714c Mon Sep 17 00:00:00 2001
From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Date: Tue, 18 Apr 2017 14:44:43 +0530
Subject: msm: camera: Fix kernel overwrite GET_BUF_BY_IDX ioctl
Assign address of buf_info into ioctl_ptr.
Previously we were copying first 8 bytes of buf_info (content)
into ioctl_ptr. Which is dereferenced and written later causing
kernel overwrite vulnerability.
Change-Id: Ie5deae249da8208523027f8ec5632f960757e9bd
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
---
drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
index 882ab03..d0b265a 100644
--- a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
+++ b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
@@ -554,8 +554,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
sizeof(struct msm_buf_mngr_info))) {
return -EFAULT;
}
- MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr,
- &buf_info, sizeof(void *));
+ k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
argp = &k_ioctl;
rc = msm_cam_buf_mgr_ops(cmd, argp);
}
--
cgit v1.1