From 6bf50d959e35d0c2578e4f6625bc169aed341e70 Mon Sep 17 00:00:00 2001 From: E V Ravi Date: Mon, 15 Oct 2018 18:05:04 +0530 Subject: [PATCH] msm: ais: Fix arbitrary kernel write In 64 bit kernel and 32 bit userspace,ioctl_ptr from kernel space, should NOT call the copy_from_user. In 64 bit kernel and 64 bit userspace,ioctl_ptr from user space, use the copy_from_user to copy data. use the is_compat_task to distinguish two condition Change-Id: Ib420168bbae1b7f950a1124f3e54b48d434952ca Signed-off-by: E V Ravi --- .../msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c index 66751b1f0657..db41cada4328 100644 --- a/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c +++ b/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -554,15 +554,16 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, return -EINVAL; if (!k_ioctl.ioctl_ptr) return -EINVAL; - - MSM_CAM_GET_IOCTL_ARG_PTR(&tmp, &k_ioctl.ioctl_ptr, - sizeof(tmp)); - if (copy_from_user(&buf_info, (void __user *)tmp, - sizeof(struct msm_buf_mngr_info))) { - return -EFAULT; + if (!is_compat_task()) { + MSM_CAM_GET_IOCTL_ARG_PTR(&tmp, + &k_ioctl.ioctl_ptr, sizeof(tmp)); + if (copy_from_user(&buf_info, + (void __user *)tmp, + sizeof(struct msm_buf_mngr_info))) { + return -EFAULT; + } + k_ioctl.ioctl_ptr = (uintptr_t)&buf_info; } - k_ioctl.ioctl_ptr = (uintptr_t)&buf_info; - argp = (void *)&k_ioctl; rc = msm_cam_buf_mgr_ops(cmd, argp); }