msm: ais: Fix arbitrary kernel write

In 64 bit kernel and 32 bit userspace,ioctl_ptr from kernel space, should NOT call the copy_from_user. In 64 bit kernel and 64 bit userspace,ioctl_ptr from user space, use the copy_from_user to copy data. use the is_compat_task to distinguish two condition Change-Id: Ib420168bbae1b7f950a1124f3e54b48d434952ca Signed-off-by: E V Ravi <evenka@codeaurora.org>
2018-10-15 18:05:04 +05:30 · 2018-10-15 18:05:04 +05:30 · 6bf50d959e
commit 6bf50d959e
parent 1e6aa1b4d8
1 changed files with 10 additions and 9 deletions
--- a/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c
+++ b/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c
@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 and
@ -554,15 +554,16 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
 				return -EINVAL;
 			if (!k_ioctl.ioctl_ptr)
 				return -EINVAL;
-
+			if (!is_compat_task()) {
-			MSM_CAM_GET_IOCTL_ARG_PTR(&tmp, &k_ioctl.ioctl_ptr,
+				MSM_CAM_GET_IOCTL_ARG_PTR(&tmp,
-				sizeof(tmp));
+					&k_ioctl.ioctl_ptr, sizeof(tmp));
-			if (copy_from_user(&buf_info, (void __user *)tmp,
+				if (copy_from_user(&buf_info,
-				sizeof(struct msm_buf_mngr_info))) {
+					(void __user *)tmp,
-				return -EFAULT;
+					sizeof(struct msm_buf_mngr_info))) {
 					return -EFAULT;
 				}
 				k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
 			}
 			k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
 			argp = (void *)&k_ioctl;
 			rc = msm_cam_buf_mgr_ops(cmd, argp);
 			}