mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
34 lines
1.3 KiB
Diff
34 lines
1.3 KiB
Diff
From 8576feebaf688dadf0548b9a16d2b90b76ed714c Mon Sep 17 00:00:00 2001
|
|
From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
|
|
Date: Tue, 18 Apr 2017 14:44:43 +0530
|
|
Subject: msm: camera: Fix kernel overwrite GET_BUF_BY_IDX ioctl
|
|
|
|
Assign address of buf_info into ioctl_ptr.
|
|
Previously we were copying first 8 bytes of buf_info (content)
|
|
into ioctl_ptr. Which is dereferenced and written later causing
|
|
kernel overwrite vulnerability.
|
|
|
|
Change-Id: Ie5deae249da8208523027f8ec5632f960757e9bd
|
|
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
|
|
---
|
|
drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c | 3 +--
|
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
|
|
index 882ab03..d0b265a 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
|
|
@@ -554,8 +554,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
|
|
sizeof(struct msm_buf_mngr_info))) {
|
|
return -EFAULT;
|
|
}
|
|
- MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr,
|
|
- &buf_info, sizeof(void *));
|
|
+ k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
|
|
argp = &k_ioctl;
|
|
rc = msm_cam_buf_mgr_ops(cmd, argp);
|
|
}
|
|
--
|
|
cgit v1.1
|
|
|