lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1457946267.16701.6.camel@mtksdaap41>
Date:	Mon, 14 Mar 2016 17:04:27 +0800
From:	tiffany lin <tiffany.lin@...iatek.com>
To:	Hans Verkuil <hverkuil@...all.nl>
CC:	Hans Verkuil <hans.verkuil@...co.com>,
	<daniel.thompson@...aro.org>, "Rob Herring" <robh+dt@...nel.org>,
	Mauro Carvalho Chehab <mchehab@....samsung.com>,
	Matthias Brugger <matthias.bgg@...il.com>,
	Daniel Kurtz <djkurtz@...omium.org>,
	Pawel Osciak <posciak@...omium.org>,
	Eddie Huang <eddie.huang@...iatek.com>,
	Yingjoe Chen <yingjoe.chen@...iatek.com>,
	<devicetree@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<linux-arm-kernel@...ts.infradead.org>,
	<linux-media@...r.kernel.org>,
	<linux-mediatek@...ts.infradead.org>, <PoChun.Lin@...iatek.com>
Subject: Re: FW: [PATCH v5 0/8] Add MT8173 Video Encoder Driver and VPU
 Driver

On Mon, 2016-03-14 at 08:21 +0100, Hans Verkuil wrote:
> On 03/14/2016 08:12 AM, tiffany lin wrote:
> > Hi Hans,
> > 
> > After change to use "v4l-utils.git master branch", "V4l2-compliance
> > -d /dev/video1" fail on "fail: v4l2-test-buffers.cpp(555):
> > check_0(crbufs.reserved, sizeof(crbufs.reserved))".
> > 
> > Check the source code and found
> > 
> > 	memset(&crbufs, 0xff, sizeof(crbufs));   -> crbufs to 0xff
> >         node->g_fmt(crbufs.format, i);
> >         crbufs.count = 0;
> >         crbufs.memory = m;
> >         fail_on_test(doioctl(node, VIDIOC_CREATE_BUFS, &crbufs));   
> >         fail_on_test(check_0(crbufs.reserved, sizeof(crbufs.reserved)));
> >         fail_on_test(crbufs.index != q.g_buffers());
> > 
> > crbufs is initialized to fill with 0xff and after VIDIOC_CREATE_BUFS,
> > crbufs.reserved field should be 0x0. But v4l2_m2m_create_bufs and
> > vb2_create_bufs do not process reserved filed.
> > Do we really need to check reserved filed filled with 0x0? Or we need to
> > change vb2_create_bufs to fix this issue?
> 
> The reserved field is zeroed in v4l_create_bufs() in v4l2-ioctl.c, so even before
> vb2_create_bufs et al is called.
> 
> The fact that it is no longer zeroed afterwards suggests that someone is messing
> with the reserved field.
> 
> You'll have to do a bit more digging, I'm afraid.
> 
Hi Hans,

Thanks for your information.
I found the root cause is in "put_v4l2_create32".
It do not copy reserved field from kernel space to user space.
After modification,"test VIDIOC_REQBUFS/CREATE_BUFS/QUERYBUF: OK"

diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index f38c076..109f687 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -280,7 +280,8 @@ static int put_v4l2_format32(struct v4l2_format *kp,
struct v4l2_format32 __user
 static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct
v4l2_create_buffers32 __user *up)
 {
        if (!access_ok(VERIFY_WRITE, up, sizeof(struct
v4l2_create_buffers32)) ||
-           copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32,
format)))
+           copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32,
format)) ||
+           copy_to_user(up->reserved, kp->reserved,
sizeof(kp->reserved)))
                return -EFAULT;
        return __put_v4l2_format32(&kp->format, &up->format);
 }

best regards,
Tiffany

> Regards,
> 
> 	Hans


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ