From 003dc4139e3ffbdce11d7cf1fc7ce25303bc9d30 Mon Sep 17 00:00:00 2001 From: Haibin Liu Date: Mon, 10 Sep 2018 16:02:44 +0800 Subject: [PATCH] msm: camera: Fix arbitrary kernel write In 64 bit kernel and 32 bit userspace,ioctl_ptr from kernel space, should NOT call the copy_from_user. In 64 bit kernel and 64 bit userspace,ioctl_ptr from user space, use the copy_from_user to copy data. use the is_compat_task to distinguish two condition. CRs-Fixed: 2283160 Change-Id: If9205e4f3176a52e52f694a3183dc9c5b7617a97 Signed-off-by: Haibin Liu --- .../msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c index 58bfdb77a492..bf5296e6d071 100644 --- a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c +++ b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c @@ -570,15 +570,13 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, k_ioctl = *ptr; switch (k_ioctl.id) { case MSM_CAMERA_BUF_MNGR_IOCTL_ID_GET_BUF_BY_IDX: { + struct msm_buf_mngr_info buf_info, *tmp = NULL; if (k_ioctl.size != sizeof(struct msm_buf_mngr_info)) return -EINVAL; if (!k_ioctl.ioctl_ptr) return -EINVAL; -#ifndef CONFIG_COMPAT - { - struct msm_buf_mngr_info buf_info, *tmp = NULL; - + if (!is_compat_task()) { MSM_CAM_GET_IOCTL_ARG_PTR(&tmp, &k_ioctl.ioctl_ptr, sizeof(tmp)); if (copy_from_user(&buf_info, tmp, @@ -587,7 +585,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, } k_ioctl.ioctl_ptr = (uintptr_t)&buf_info; } -#endif + argp = &k_ioctl; rc = msm_cam_buf_mgr_ops(cmd, argp); }