msm: camera: Fix arbitrary kernel write
In 64 bit kernel and 32 bit userspace,ioctl_ptr from kernel space, should NOT call the copy_from_user. In 64 bit kernel and 64 bit userspace,ioctl_ptr from user space, use the copy_from_user to copy data. use the is_compat_task to distinguish two condition. CRs-Fixed: 2283160 Change-Id: If9205e4f3176a52e52f694a3183dc9c5b7617a97 Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
This commit is contained in:
Haibin Liu
Gerrit - the friendly Code Review server
parent
727593cbf7
commit
d87b566e73
1 changed files with 3 additions and 5 deletions
|
|
@ -570,15 +570,13 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
|
||||||
k_ioctl = *ptr;
|
k_ioctl = *ptr;
|
||||||
switch (k_ioctl.id) {
|
switch (k_ioctl.id) {
|
||||||
case MSM_CAMERA_BUF_MNGR_IOCTL_ID_GET_BUF_BY_IDX: {
|
case MSM_CAMERA_BUF_MNGR_IOCTL_ID_GET_BUF_BY_IDX: {
|
||||||
|
struct msm_buf_mngr_info buf_info, *tmp = NULL;
|
||||||
|
|
||||||
if (k_ioctl.size != sizeof(struct msm_buf_mngr_info))
|
if (k_ioctl.size != sizeof(struct msm_buf_mngr_info))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
if (!k_ioctl.ioctl_ptr)
|
if (!k_ioctl.ioctl_ptr)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
#ifndef CONFIG_COMPAT
|
if (!is_compat_task()) {
|
||||||
{
|
|
||||||
struct msm_buf_mngr_info buf_info, *tmp = NULL;
|
|
||||||
|
|
||||||
MSM_CAM_GET_IOCTL_ARG_PTR(&tmp,
|
MSM_CAM_GET_IOCTL_ARG_PTR(&tmp,
|
||||||
&k_ioctl.ioctl_ptr, sizeof(tmp));
|
&k_ioctl.ioctl_ptr, sizeof(tmp));
|
||||||
if (copy_from_user(&buf_info, tmp,
|
if (copy_from_user(&buf_info, tmp,
|
||||||
|
|
@ -587,7 +585,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
|
||||||
}
|
}
|
||||||
k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
|
k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
argp = &k_ioctl;
|
argp = &k_ioctl;
|
||||||
rc = msm_cam_buf_mgr_ops(cmd, argp);
|
rc = msm_cam_buf_mgr_ops(cmd, argp);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue