Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2cad8aa2 authored by Terence Ho's avatar Terence Ho Committed by Andy Sun
Browse files

msm: ais: Fix kernel overwrite GET_BUF_BY_IDX ioctl 



Assign address of buf_info into ioctl_ptr.
Previously we were copying first 8 bytes of buf_info (content)
into ioctl_ptr. Which is dereferenced and written later causing
kernel overwrite vulnerability.

CRs-fixed: 2013631
Change-Id: Ia27dafe003c2c4d7a59dc2976bee2cfc15978403
Signed-off-by: default avatarTerence Ho <terenceh@codeaurora.org>
Signed-off-by: default avatarAndy Sun <bins@codeaurora.org>
parent 96e3d4de

drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c

+2 −2
Original line number Diff line number Diff line
@@ -561,8 +561,8 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, 
				sizeof(struct msm_buf_mngr_info))) {

				return -EFAULT;

			}

			MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr,

				&buf_info, sizeof(void *));

			k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;



			argp = &k_ioctl;

			rc = msm_cam_buf_mgr_ops(cmd, argp);

			}