evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: camera: Fix kernel overwrite GET_BUF_BY_IDX ioctl

Browse source 
Assign address of buf_info into ioctl_ptr.
Previously we were copying first 8 bytes of buf_info (content)
into ioctl_ptr. Which is dereferenced and written later causing
kernel overwrite vulnerability.

Change-Id: Ie5deae249da8208523027f8ec5632f960757e9bd
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
This commit is contained in:
Trishansh Bhardwaj 2017-04-18 14:44:43 +05:30 committed by Gerrit - the friendly Code Review server
parent 048c70075f
commit fa5ee0d284
1 changed files with 1 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
View file

@ -553,8 +553,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
sizeof(struct msm_buf_mngr_info))) {
return -EFAULT;
}
MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr,
&buf_info, sizeof(void *));
k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
argp = &k_ioctl;
rc = msm_cam_buf_mgr_ops(cmd, argp);
}