lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <272c471b-a7a9-c830-e19b-d1f19ee47073@xs4all.nl>
Date:   Mon, 25 Nov 2019 15:40:23 +0100
From:   Hans Verkuil <hverkuil@...all.nl>
To:     Arnd Bergmann <arnd@...db.de>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        linux-media@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org, y2038@...ts.linaro.org
Subject: Re: [PATCH v4 5/8] media: v4l2-core: fix VIDIOC_DQEVENT for time64
 ABI

On 11/11/19 9:38 PM, Arnd Bergmann wrote:
> The v4l2_event structure contains a 'struct timespec' member that is
> defined by the user space C library, creating an ABI incompatibility
> when that gets updated to a 64-bit time_t.
> 
> While passing a 32-bit time_t here would be sufficient for CLOCK_MONOTONIC
> timestamps, simply redefining the structure to use the kernel's
> __kernel_old_timespec would not work for any library that uses a copy
> of the linux/videodev2.h header file rather than including the copy from
> the latest kernel headers.
> 
> This means the kernel has to be changed to handle both versions of the
> structure layout on a 32-bit architecture. The easiest way to do this
> is during the copy from/to user space.
> 
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
>  drivers/media/v4l2-core/v4l2-event.c  |  5 ++++-
>  drivers/media/v4l2-core/v4l2-ioctl.c  | 24 ++++++++++++++++++++-
>  drivers/media/v4l2-core/v4l2-subdev.c | 20 +++++++++++++++++-
>  include/uapi/linux/videodev2.h        | 30 +++++++++++++++++++++++++++
>  4 files changed, 76 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-event.c b/drivers/media/v4l2-core/v4l2-event.c
> index 9d673d113d7a..290c6b213179 100644
> --- a/drivers/media/v4l2-core/v4l2-event.c
> +++ b/drivers/media/v4l2-core/v4l2-event.c
> @@ -27,6 +27,7 @@ static unsigned sev_pos(const struct v4l2_subscribed_event *sev, unsigned idx)
>  static int __v4l2_event_dequeue(struct v4l2_fh *fh, struct v4l2_event *event)
>  {
>  	struct v4l2_kevent *kev;
> +	struct timespec64 ts;
>  	unsigned long flags;
>  
>  	spin_lock_irqsave(&fh->vdev->fh_lock, flags);
> @@ -44,7 +45,9 @@ static int __v4l2_event_dequeue(struct v4l2_fh *fh, struct v4l2_event *event)
>  
>  	kev->event.pending = fh->navailable;
>  	*event = kev->event;
> -	event->timestamp = ns_to_timespec(kev->ts);
> +	ts = ns_to_timespec64(kev->ts);
> +	event->timestamp.tv_sec = ts.tv_sec;
> +	event->timestamp.tv_nsec = ts.tv_nsec;
>  	kev->sev->first = sev_pos(kev->sev, 1);
>  	kev->sev->in_use--;
>  
> diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
> index 693f9eb8e01b..1de939d11628 100644
> --- a/drivers/media/v4l2-core/v4l2-ioctl.c
> +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
> @@ -821,7 +821,7 @@ static void v4l_print_event(const void *arg, bool write_only)
>  	const struct v4l2_event *p = arg;
>  	const struct v4l2_event_ctrl *c;
>  
> -	pr_cont("type=0x%x, pending=%u, sequence=%u, id=%u, timestamp=%lu.%9.9lu\n",
> +	pr_cont("type=0x%x, pending=%u, sequence=%u, id=%u, timestamp=%llu.%9.9llu\n",
>  			p->type, p->pending, p->sequence, p->id,
>  			p->timestamp.tv_sec, p->timestamp.tv_nsec);
>  	switch (p->type) {
> @@ -3010,6 +3010,13 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
>  
>  static unsigned int video_translate_cmd(unsigned int cmd)
>  {
> +	switch (cmd) {
> +#ifdef CONFIG_COMPAT_32BIT_TIME
> +	case VIDIOC_DQEVENT_TIME32:
> +		return VIDIOC_DQEVENT;
> +#endif
> +	}
> +
>  	return cmd;
>  }
>  
> @@ -3059,6 +3066,21 @@ static int video_put_user(void __user *arg, void *parg, unsigned int cmd)
>  		return 0;
>  
>  	switch (cmd) {
> +#ifdef CONFIG_COMPAT_32BIT_TIME
> +	case VIDIOC_DQEVENT_TIME32: {
> +		struct v4l2_event_time32 ev32;
> +		struct v4l2_event *ev = parg;
> +
> +	        memcpy(&ev32, ev, offsetof(struct v4l2_event, timestamp));
> +	        ev32.timestamp.tv_sec = ev->timestamp.tv_sec;
> +	        ev32.timestamp.tv_nsec = ev->timestamp.tv_nsec;
> +	        memcpy(&ev32.id, &ev->id, sizeof(*ev) - offsetof(struct v4l2_event, id));

This looks dangerous: due to 64-bit alignment requirements the
v4l2_event struct may end with a 4-byte hole at the end of the struct,
which you do not want to copy to ev32.

I think it is safer to just copy id and reserved separately:

		ev32.id = ev->id;
		memcpy(ev32.reserved, ev->reserved, sizeof(ev->reserved));

> +
> +		if (copy_to_user(arg, &ev32, sizeof(ev32)))
> +			return -EFAULT;
> +		break;
> +	}
> +#endif
>  	default:
>  		/*  Copy results into user buffer  */
>  		if (copy_to_user(arg, parg, _IOC_SIZE(cmd)))
> diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c
> index f725cd9b66b9..45454a628e45 100644
> --- a/drivers/media/v4l2-core/v4l2-subdev.c
> +++ b/drivers/media/v4l2-core/v4l2-subdev.c
> @@ -331,8 +331,8 @@ static long subdev_do_ioctl(struct file *file, unsigned int cmd, void *arg)
>  	struct v4l2_fh *vfh = file->private_data;
>  #if defined(CONFIG_VIDEO_V4L2_SUBDEV_API)
>  	struct v4l2_subdev_fh *subdev_fh = to_v4l2_subdev_fh(vfh);
> -	int rval;
>  #endif
> +	int rval;
>  
>  	switch (cmd) {
>  	case VIDIOC_QUERYCTRL:
> @@ -392,6 +392,24 @@ static long subdev_do_ioctl(struct file *file, unsigned int cmd, void *arg)
>  
>  		return v4l2_event_dequeue(vfh, arg, file->f_flags & O_NONBLOCK);
>  
> +	case VIDIOC_DQEVENT_TIME32: {
> +		struct v4l2_event_time32 *ev32 = arg;
> +		struct v4l2_event ev;
> +
> +		if (!(sd->flags & V4L2_SUBDEV_FL_HAS_EVENTS))
> +			return -ENOIOCTLCMD;
> +
> +		rval = v4l2_event_dequeue(vfh, &ev, file->f_flags & O_NONBLOCK);
> +
> +		memcpy(ev32, &ev, offsetof(struct v4l2_event, timestamp));
> +		ev32->timestamp.tv_sec = ev.timestamp.tv_sec;
> +		ev32->timestamp.tv_nsec = ev.timestamp.tv_nsec;
> +		memcpy(&ev32->id, &ev.id,
> +		       sizeof(ev) - offsetof(struct v4l2_event, id));

Ditto.

> +
> +		return rval;
> +	}
> +
>  	case VIDIOC_SUBSCRIBE_EVENT:
>  		return v4l2_subdev_call(sd, core, subscribe_event, vfh, arg);
>  
> diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h
> index 74d3d522f3db..1d2553d4ed5b 100644
> --- a/include/uapi/linux/videodev2.h
> +++ b/include/uapi/linux/videodev2.h
> @@ -2329,11 +2329,40 @@ struct v4l2_event {
>  	} u;
>  	__u32				pending;
>  	__u32				sequence;
> +#ifdef __KERNEL__
> +	struct __kernel_timespec	timestamp;
> +#else
>  	struct timespec			timestamp;
> +#endif
>  	__u32				id;
>  	__u32				reserved[8];
>  };
>  
> +#ifdef __KERNEL__
> +/*
> + * The user space interpretation of the 'v4l2_event' differs
> + * based on the 'time_t' definition on 32-bit architectures, so
> + * the kernel has to handle both.
> + * This is the old version for 32-bit architectures.
> + */
> +struct v4l2_event_time32 {
> +	__u32				type;
> +	union {
> +		struct v4l2_event_vsync		vsync;
> +		struct v4l2_event_ctrl		ctrl;
> +		struct v4l2_event_frame_sync	frame_sync;
> +		struct v4l2_event_src_change	src_change;
> +		struct v4l2_event_motion_det	motion_det;
> +		__u8				data[64];
> +	} u;
> +	__u32				pending;
> +	__u32				sequence;
> +	struct old_timespec32		timestamp;
> +	__u32				id;
> +	__u32				reserved[8];
> +};
> +#endif
> +
>  #define V4L2_EVENT_SUB_FL_SEND_INITIAL		(1 << 0)
>  #define V4L2_EVENT_SUB_FL_ALLOW_FEEDBACK	(1 << 1)
>  
> @@ -2486,6 +2515,7 @@ struct v4l2_create_buffers {
>  #define	VIDIOC_S_DV_TIMINGS	_IOWR('V', 87, struct v4l2_dv_timings)
>  #define	VIDIOC_G_DV_TIMINGS	_IOWR('V', 88, struct v4l2_dv_timings)
>  #define	VIDIOC_DQEVENT		 _IOR('V', 89, struct v4l2_event)
> +#define	VIDIOC_DQEVENT_TIME32	 _IOR('V', 89, struct v4l2_event_time32)

Shouldn't this be under #ifdef __KERNEL__?

And should this be in the public header at all? media/v4l2-ioctl.h might be a better
place.

Regards,

	Hans

>  #define	VIDIOC_SUBSCRIBE_EVENT	 _IOW('V', 90, struct v4l2_event_subscription)
>  #define	VIDIOC_UNSUBSCRIBE_EVENT _IOW('V', 91, struct v4l2_event_subscription)
>  #define VIDIOC_CREATE_BUFS	_IOWR('V', 92, struct v4l2_create_buffers)
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ