evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: camera: Fix arbitrary kernel write

Browse source 
In 64 bit kernel and 32 bit userspace,ioctl_ptr from
kernel space, should NOT call the copy_from_user.

In 64 bit kernel and 64 bit userspace,ioctl_ptr from
user space, use the copy_from_user to copy data.

use the is_compat_task to distinguish two condition.

CRs-Fixed: 2283160
Change-Id: If9205e4f3176a52e52f694a3183dc9c5b7617a97
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
This commit is contained in:
Haibin Liu 2018-09-10 16:02:44 +08:00 committed by Gerrit - the friendly Code Review server
parent 727593cbf7
commit d87b566e73
1 changed files with 3 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
View file

@ -570,15 +570,13 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
k_ioctl = *ptr;
switch (k_ioctl.id) {
case MSM_CAMERA_BUF_MNGR_IOCTL_ID_GET_BUF_BY_IDX: {
struct msm_buf_mngr_info buf_info, *tmp = NULL;
if (k_ioctl.size != sizeof(struct msm_buf_mngr_info))
return -EINVAL;
if (!k_ioctl.ioctl_ptr)
return -EINVAL;
#ifndef CONFIG_COMPAT
{
struct msm_buf_mngr_info buf_info, *tmp = NULL;
if (!is_compat_task()) {
MSM_CAM_GET_IOCTL_ARG_PTR(&tmp,
&k_ioctl.ioctl_ptr, sizeof(tmp));
if (copy_from_user(&buf_info, tmp,
@ -587,7 +585,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
}
k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
}
#endif
argp = &k_ioctl;
rc = msm_cam_buf_mgr_ops(cmd, argp);
}