| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Jun 2021 13:22:18 +0300
From: Laurent Pinchart <laurent.pinchart@...asonboard.com>
To: Mauro Carvalho Chehab <mchehab+huawei@...nel.org>
Cc: linuxarm@...wei.com, mauro.chehab@...wei.com,
Mauro Carvalho Chehab <mchehab@...nel.org>,
linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH v3] media: uvc: don't do DMA on stack
Hi Mauro,
On Mon, Jun 21, 2021 at 04:34:08PM +0200, Mauro Carvalho Chehab wrote:
> Em Mon, 21 Jun 2021 17:11:46 +0300 Laurent Pinchart escreveu:
> > On Mon, Jun 21, 2021 at 03:40:19PM +0200, Mauro Carvalho Chehab wrote:
> > > As warned by smatch:
> > > drivers/media/usb/uvc/uvc_v4l2.c:911 uvc_ioctl_g_input() error: doing dma on the stack (&i)
> > > drivers/media/usb/uvc/uvc_v4l2.c:943 uvc_ioctl_s_input() error: doing dma on the stack (&i)
> > >
> > > those two functions call uvc_query_ctrl passing a pointer to
> > > a data at the DMA stack. those are used to send URBs via
> > > usb_control_msg(). Using DMA stack is not supported and should
> > > not work anymore on modern Linux versions.
> > >
> > > So, use a kmalloc'ed buffer.
> > >
> > > Cc: stable@...r.kernel.org # Kernel 4.9 and upper
> > > Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@...nel.org>
> > > ---
> > > drivers/media/usb/uvc/uvc_v4l2.c | 30 ++++++++++++++++++++++--------
> > > 1 file changed, 22 insertions(+), 8 deletions(-)
> > >
> > > diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
> > > index 252136cc885c..a95bf7318848 100644
> > > --- a/drivers/media/usb/uvc/uvc_v4l2.c
> > > +++ b/drivers/media/usb/uvc/uvc_v4l2.c
> > > @@ -899,8 +899,8 @@ static int uvc_ioctl_g_input(struct file *file, void *fh, unsigned int *input)
> > > {
> > > struct uvc_fh *handle = fh;
> > > struct uvc_video_chain *chain = handle->chain;
> > > + u8 *buf;
> > > int ret;
> > > - u8 i;
> > >
> > > if (chain->selector == NULL ||
> > > (chain->dev->quirks & UVC_QUIRK_IGNORE_SELECTOR_UNIT)) {
> > > @@ -908,13 +908,20 @@ static int uvc_ioctl_g_input(struct file *file, void *fh, unsigned int *input)
> > > return 0;
> > > }
> > >
> > > + buf = kmalloc(1, GFP_KERNEL);
> > > + if (!buf)
> > > + return -ENOMEM;
> > > +
> > > ret = uvc_query_ctrl(chain->dev, UVC_GET_CUR, chain->selector->id,
> > > chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL,
> > > - &i, 1);
> > > + buf, 1);
> > > if (ret < 0)
> > > return ret;
> >
> > Memory leak :-)
>
> Argh ;-)
>
> Clearly, I'm needing more caffeine today, but it is too damn hot
> here...
>
> >
> > if (!ret)
> > *input = *buf - 1;
> >
> > kfree(buf);
> >
> > return ret;
> >
> > >
> > > - *input = i - 1;
> > > + *input = *buf - 1;
> > > +
> > > + kfree(buf);
> > > +
> > > return 0;
> > > }
> > >
> > > @@ -922,8 +929,8 @@ static int uvc_ioctl_s_input(struct file *file, void *fh, unsigned int input)
> > > {
> > > struct uvc_fh *handle = fh;
> > > struct uvc_video_chain *chain = handle->chain;
> > > + char *buf;
> >
> > u8 *buf;
> >
> > With these two changes,
> >
> > Reviewed-by: Laurent Pinchart <laurent.pinchart@...asonboard.com>
>
> Thanks!
>
> > Do I need to take the patch in my tree ?
>
> It is up to you.
>
> I suspect that it would be easier to just merge it at media_stage,
> together with the other patches from the smatch series, but it is
> up to you.
>
> Just let me know if you prefer to merge it via your tree, and I'll drop
> it from my queue, or otherwise I'll merge directly at media_stage,
> after waiting for a while on feedbacks on the remaining patches.
Please merge it directly, it's less work for me :-)
--
Regards,
Laurent Pinchart
Powered by blists - more mailing lists