Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d87b566e authored by Haibin Liu's avatar Haibin Liu Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: Fix arbitrary kernel write 



In 64 bit kernel and 32 bit userspace,ioctl_ptr from
kernel space, should NOT call the copy_from_user.

In 64 bit kernel and 64 bit userspace,ioctl_ptr from
user space, use the copy_from_user to copy data.

use the is_compat_task to distinguish two condition.

CRs-Fixed: 2283160
Change-Id: If9205e4f3176a52e52f694a3183dc9c5b7617a97
Signed-off-by: default avatarHaibin Liu <haibinl@codeaurora.org>
parent 727593cb

drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c

+3 −5
Original line number Diff line number Diff line
@@ -570,15 +570,13 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, 
		k_ioctl = *ptr;

		switch (k_ioctl.id) {

		case MSM_CAMERA_BUF_MNGR_IOCTL_ID_GET_BUF_BY_IDX: {

			struct msm_buf_mngr_info buf_info, *tmp = NULL;



			if (k_ioctl.size != sizeof(struct msm_buf_mngr_info))

				return -EINVAL;

			if (!k_ioctl.ioctl_ptr)

				return -EINVAL;

#ifndef CONFIG_COMPAT

			{

				struct msm_buf_mngr_info buf_info, *tmp = NULL;



			if (!is_compat_task()) {

				MSM_CAM_GET_IOCTL_ARG_PTR(&tmp,

					&k_ioctl.ioctl_ptr, sizeof(tmp));

				if (copy_from_user(&buf_info, tmp,
@@ -587,7 +585,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, 
				}

				k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;

			}

#endif



			argp = &k_ioctl;

			rc = msm_cam_buf_mgr_ops(cmd, argp);

			}