lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <lsq.1511315892.293619409@decadent.org.uk>
Date:   Wed, 22 Nov 2017 01:58:12 +0000
From:   Ben Hutchings <ben@...adent.org.uk>
To:     linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC:     akpm@...ux-foundation.org, "H. Peter Anvin" <hpa@...ux.intel.com>,
        "Sakari Ailus" <sakari.ailus@...ux.intel.com>,
        "Tiffany Lin" <tiffany.lin@...iatek.com>,
        "Laurent Pinchart" <laurent.pinchart+renesas@...asonboard.com>,
        "Mauro Carvalho Chehab" <mchehab@...pensource.com>,
        "Hans Verkuil" <hans.verkuil@...co.com>,
        "Ricardo Ribalda Delgado" <ricardo.ribalda@...il.com>,
        "Daniel Mentz" <danielmentz@...gle.com>
Subject: [PATCH 3.16 020/133] media: v4l2-compat-ioctl32: Fix timespec
 conversion

3.16.51-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Mentz <danielmentz@...gle.com>

commit 9c7ba1d7634cef490b85bc64c4091ff004821bfd upstream.

Certain syscalls like recvmmsg support 64 bit timespec values for the
X32 ABI. The helper function compat_put_timespec converts a timespec
value to a 32 bit or 64 bit value depending on what ABI is used. The
v4l2 compat layer, however, is not designed to support 64 bit timespec
values and always uses 32 bit values. Hence, compat_put_timespec must
not be used.

Without this patch, user space will be provided with bad timestamp
values from the VIDIOC_DQEVENT ioctl. Also, fields of the struct
v4l2_event32 that come immediately after timestamp get overwritten,
namely the field named id.

Fixes: 81993e81a994 ("compat: Get rid of (get|put)_compat_time(val|spec)")

Cc: H. Peter Anvin <hpa@...ux.intel.com>
Cc: Laurent Pinchart <laurent.pinchart+renesas@...asonboard.com>
Cc: Tiffany Lin <tiffany.lin@...iatek.com>
Cc: Ricardo Ribalda Delgado <ricardo.ribalda@...il.com>
Cc: Sakari Ailus <sakari.ailus@...ux.intel.com>
Signed-off-by: Daniel Mentz <danielmentz@...gle.com>
Signed-off-by: Hans Verkuil <hans.verkuil@...co.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@...pensource.com>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -731,7 +731,8 @@ static int put_v4l2_event32(struct v4l2_
 		copy_to_user(&up->u, &kp->u, sizeof(kp->u)) ||
 		put_user(kp->pending, &up->pending) ||
 		put_user(kp->sequence, &up->sequence) ||
-		compat_put_timespec(&kp->timestamp, &up->timestamp) ||
+		put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
+		put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) ||
 		put_user(kp->id, &up->id) ||
 		copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32)))
 			return -EFAULT;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ