| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Feb 2015 13:18:31 +0800
From: Sudip JAIN <sudip.jain@...com>
To: Jeremiah Mahler <jmmahler@...il.com>
CC: "linux-media@...r.kernel.org" <linux-media@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: 0001-media-vb2-Fill-vb2_buffer-with-bytesused-from-user.patch;
kernel version 3.10.69
Hello Jeremiah,
Please find the patch "inline"
commit 3390900680e5182998916c8fa231bc79cd84046b
Author: Sudip Jain <sudip.jain@...com>
Date: Thu Feb 26 10:40:34 2015 +0530
media: vb2: Fill vb2_buffer with bytesused from user
In vb2_qbuf for dmabuf memory type, userside bytesused is not read to
vb2 buffer. This leads garbage value being copied from __qbuf_dmabuf()
back to user in __fill_v4l2_buffer().
As a default case, the vb2 framework must trust the userside value,
and also allow driver's buffer prepare function prefer modify/update
or not to.
Applied on kernel version 3.10.69
Change-Id: Ieda389403898935f59c2e2994106f3e5238cfefd
Signed-off-by: Sudip Jain <sudip.jain@...com>
diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
index 5e47ba4..54fe9c9 100644
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -919,6 +919,8 @@ static void __fill_vb2_buffer(struct vb2_buffer *vb, const struct v4l2_buffer *b
b->m.planes[plane].m.fd;
v4l2_planes[plane].length =
b->m.planes[plane].length;
+ v4l2_planes[plane].bytesused =
+ b->m.planes[plane].bytesused;
v4l2_planes[plane].data_offset =
b->m.planes[plane].data_offset;
}
@@ -943,6 +945,7 @@ static void __fill_vb2_buffer(struct vb2_buffer *vb, const struct v4l2_buffer *b
if (b->memory == V4L2_MEMORY_DMABUF) {
v4l2_planes[0].m.fd = b->m.fd;
v4l2_planes[0].length = b->length;
+ v4l2_planes[0].bytesused = b->bytesused;
v4l2_planes[0].data_offset = 0;
}
Thanks,
Sudip
________________________________________
From: Jeremiah Mahler [jmmahler@...il.com]
Sent: Wednesday, February 25, 2015 11:53 PM
To: Sudip JAIN
Cc: linux-media@...r.kernel.org; linux-kernel@...r.kernel.org
Subject: Re: 0001-media-vb2-Fill-vb2_buffer-with-bytesused-from-user.patch
Sudip,
On Wed, Feb 25, 2015 at 03:29:22PM +0800, Sudip JAIN wrote:
> Dear Maintainer,
>
> PFA attached patch that prevents user from being returned garbage bytesused value from vb2 framework.
>
> Regards,
> Sudip Jain
>
Patches should never be submitted as attachments, they should be inline.
See Documentation/SubmittingPatches for more info.
[...]
--
- Jeremiah Mahler
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists