mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-11 08:54:28 -05:00
148 lines
4.7 KiB
Diff
148 lines
4.7 KiB
Diff
From 86f0d207d478e1681f6711b46766cfb3c6a30fb5 Mon Sep 17 00:00:00 2001
|
|
From: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
|
|
Date: Mon, 27 Mar 2017 17:44:36 -0700
|
|
Subject: msm: camera2: cpp: Fix iommu_attach/detach compat_ioctl issue
|
|
|
|
When the Camera application exercises 32-bit version of the V4L2 ioctl
|
|
operation, it results accessing user space memory illegally. This is
|
|
due to the direct access of user space buffer by Camera CPP driver.
|
|
|
|
Thus, fix this by copying user space buffer contents into kernel space
|
|
buffer of the driver for further processing. Only after checking for
|
|
proper length of user space buffer, proceed further. This will prevent
|
|
the buffer overflow and invalid memory access.
|
|
|
|
CRs-fixed: 2025367
|
|
Change-Id: I85cf4a961884c7bb0d036299b886044aef7baf7c
|
|
Signed-off-by: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
|
|
---
|
|
.../platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 49 ++++++++++++++++------
|
|
1 file changed, 37 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
|
|
index 8402e31..95aac07 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
|
|
@@ -2953,8 +2953,9 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
|
|
}
|
|
|
|
*ioctl_ptr = arg;
|
|
- if ((*ioctl_ptr == NULL) ||
|
|
- ((*ioctl_ptr)->ioctl_ptr == NULL)) {
|
|
+ if (((*ioctl_ptr) == NULL) ||
|
|
+ ((*ioctl_ptr)->ioctl_ptr == NULL) ||
|
|
+ ((*ioctl_ptr)->len == 0)) {
|
|
pr_err("Error invalid ioctl argument cmd %u", cmd);
|
|
return -EINVAL;
|
|
}
|
|
@@ -3503,13 +3504,18 @@ STREAM_BUFF_END:
|
|
if (cpp_dev->iommu_state == CPP_IOMMU_STATE_DETACHED) {
|
|
struct msm_camera_smmu_attach_type cpp_attach_info;
|
|
|
|
+ if (ioctl_ptr->len !=
|
|
+ sizeof(struct msm_camera_smmu_attach_type)) {
|
|
+ rc = -EINVAL;
|
|
+ break;
|
|
+ }
|
|
+
|
|
memset(&cpp_attach_info, 0, sizeof(cpp_attach_info));
|
|
rc = msm_cpp_copy_from_ioctl_ptr(&cpp_attach_info,
|
|
ioctl_ptr);
|
|
if (rc < 0) {
|
|
pr_err("CPP_IOMMU_ATTACH copy from user fail");
|
|
- ERR_COPY_FROM_USER();
|
|
- return -EINVAL;
|
|
+ break;
|
|
}
|
|
|
|
cpp_dev->security_mode = cpp_attach_info.attach;
|
|
@@ -3538,16 +3544,20 @@ STREAM_BUFF_END:
|
|
case VIDIOC_MSM_CPP_IOMMU_DETACH: {
|
|
if ((cpp_dev->iommu_state == CPP_IOMMU_STATE_ATTACHED) &&
|
|
(cpp_dev->stream_cnt == 0)) {
|
|
-
|
|
struct msm_camera_smmu_attach_type cpp_attach_info;
|
|
|
|
+ if (ioctl_ptr->len !=
|
|
+ sizeof(struct msm_camera_smmu_attach_type)) {
|
|
+ rc = -EINVAL;
|
|
+ break;
|
|
+ }
|
|
+
|
|
memset(&cpp_attach_info, 0, sizeof(cpp_attach_info));
|
|
rc = msm_cpp_copy_from_ioctl_ptr(&cpp_attach_info,
|
|
ioctl_ptr);
|
|
if (rc < 0) {
|
|
pr_err("CPP_IOMMU_DETTACH copy from user fail");
|
|
- ERR_COPY_FROM_USER();
|
|
- return -EINVAL;
|
|
+ break;
|
|
}
|
|
|
|
cpp_dev->security_mode = cpp_attach_info.attach;
|
|
@@ -3568,6 +3578,7 @@ STREAM_BUFF_END:
|
|
} else {
|
|
pr_err("%s:%d IOMMMU attach triggered in invalid state\n",
|
|
__func__, __LINE__);
|
|
+ rc = -EINVAL;
|
|
}
|
|
break;
|
|
}
|
|
@@ -3883,6 +3894,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
|
|
struct msm_cpp_stream_buff_info_t k_cpp_buff_info;
|
|
struct msm_cpp_frame_info32_t k32_frame_info;
|
|
struct msm_cpp_frame_info_t k64_frame_info;
|
|
+ struct msm_camera_smmu_attach_type kb_cpp_smmu_attach_info;
|
|
uint32_t identity_k = 0;
|
|
bool is_copytouser_req = true;
|
|
void __user *up = (void __user *)arg;
|
|
@@ -4187,11 +4199,23 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
|
|
break;
|
|
}
|
|
case VIDIOC_MSM_CPP_IOMMU_ATTACH32:
|
|
- cmd = VIDIOC_MSM_CPP_IOMMU_ATTACH;
|
|
- break;
|
|
case VIDIOC_MSM_CPP_IOMMU_DETACH32:
|
|
- cmd = VIDIOC_MSM_CPP_IOMMU_DETACH;
|
|
+ {
|
|
+ if ((kp_ioctl.len != sizeof(struct msm_camera_smmu_attach_type))
|
|
+ || (copy_from_user(&kb_cpp_smmu_attach_info,
|
|
+ (void __user *)kp_ioctl.ioctl_ptr,
|
|
+ sizeof(kb_cpp_smmu_attach_info)))) {
|
|
+ mutex_unlock(&cpp_dev->mutex);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
+ kp_ioctl.ioctl_ptr = (void *)&kb_cpp_smmu_attach_info;
|
|
+ is_copytouser_req = false;
|
|
+ cmd = (cmd == VIDIOC_MSM_CPP_IOMMU_ATTACH32) ?
|
|
+ VIDIOC_MSM_CPP_IOMMU_ATTACH :
|
|
+ VIDIOC_MSM_CPP_IOMMU_DETACH;
|
|
break;
|
|
+ }
|
|
case MSM_SD_NOTIFY_FREEZE:
|
|
break;
|
|
case MSM_SD_UNNOTIFY_FREEZE:
|
|
@@ -4202,7 +4226,8 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
|
|
default:
|
|
pr_err_ratelimited("%s: unsupported compat type :%x LOAD %lu\n",
|
|
__func__, cmd, VIDIOC_MSM_CPP_LOAD_FIRMWARE);
|
|
- break;
|
|
+ mutex_unlock(&cpp_dev->mutex);
|
|
+ return -EINVAL;
|
|
}
|
|
|
|
mutex_unlock(&cpp_dev->mutex);
|
|
@@ -4233,7 +4258,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
|
|
default:
|
|
pr_err_ratelimited("%s: unsupported compat type :%d\n",
|
|
__func__, cmd);
|
|
- break;
|
|
+ return -EINVAL;
|
|
}
|
|
|
|
if (is_copytouser_req) {
|
|
--
|
|
cgit v1.1
|
|
|