lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1366364816-3567-1-git-send-email-prabhakar.csengg@gmail.com>
Date:	Fri, 19 Apr 2013 15:16:56 +0530
From:	Prabhakar lad <prabhakar.csengg@...il.com>
To:	LMML <linux-media@...r.kernel.org>
Cc:	Mauro Carvalho Chehab <mchehab@...hat.com>,
	DLOS <davinci-linux-open-source@...ux.davincidsp.com>,
	LKML <linux-kernel@...r.kernel.org>,
	Hans Verkuil <hans.verkuil@...co.com>,
	Pawel Osciak <pawel@...iak.com>,
	Kyungmin Park <kyungmin.park@...sung.com>,
	"Lad, Prabhakar" <prabhakar.csengg@...il.com>,
	Laurent Pinchart <laurent.pinchart@...asonboard.com>,
	Marek Szyprowski <m.szyprowski@...sung.com>,
	Seung-Woo Kim <sw0312.kim@...sung.com>
Subject: [PATCH RFC] media: videobuf2: fix the length check for mmap

From: Lad, Prabhakar <prabhakar.csengg@...il.com>

>From commit 068a0df76023926af958a336a78bef60468d2033
"[media] media: vb2: add length check for mmap"
patch verifies that the mmap() size requested by userspace
doesn't exceed the buffer size.

As the mmap() size is rounded up to the next page boundary
the check will fail for buffer sizes that are not multiple
of the page size.

This patch fixes the check by aligning the buffer size to page
size during the check. Alongside fixes the vmalloc allocator
to round up the size.

Signed-off-by: Lad, Prabhakar <prabhakar.csengg@...il.com>
Cc: Laurent Pinchart <laurent.pinchart@...asonboard.com>
Cc: Marek Szyprowski <m.szyprowski@...sung.com>
Cc: Seung-Woo Kim <sw0312.kim@...sung.com>
Cc: Hans Verkuil <hans.verkuil@...co.com>
Cc: Mauro Carvalho Chehab <mchehab@...hat.com>
---
 drivers/media/v4l2-core/videobuf2-core.c    |    2 +-
 drivers/media/v4l2-core/videobuf2-vmalloc.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
index 58c1744..223fcd4 100644
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -1886,7 +1886,7 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
 
 	vb = q->bufs[buffer];
 
-	if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) {
+	if (PAGE_ALIGN(vb->v4l2_planes[plane].length) < (vma->vm_end - vma->vm_start)) {
 		dprintk(1, "Invalid length\n");
 		return -EINVAL;
 	}
diff --git a/drivers/media/v4l2-core/videobuf2-vmalloc.c b/drivers/media/v4l2-core/videobuf2-vmalloc.c
index 313d977..bf3b95c 100644
--- a/drivers/media/v4l2-core/videobuf2-vmalloc.c
+++ b/drivers/media/v4l2-core/videobuf2-vmalloc.c
@@ -44,7 +44,7 @@ static void *vb2_vmalloc_alloc(void *alloc_ctx, unsigned long size, gfp_t gfp_fl
 		return NULL;
 
 	buf->size = size;
-	buf->vaddr = vmalloc_user(buf->size);
+	buf->vaddr = vmalloc_user(PAGE_ALIGN(buf->size));
 	buf->handler.refcount = &buf->refcount;
 	buf->handler.put = vb2_vmalloc_put;
 	buf->handler.arg = buf;
-- 
1.7.4.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ