Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1a34af0c authored by Trishansh Bhardwaj's avatar Trishansh Bhardwaj Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: Fix kernel overwrite GET_BUF_BY_IDX ioctl 



Assign address of buf_info into ioctl_ptr.
Previously we were copying first 8 bytes of buf_info (content)
into ioctl_ptr. Which is dereferenced and written later causing
kernel overwrite vulnerability.

Change-Id: Ie5deae249da8208523027f8ec5632f960757e9bd
Signed-off-by: default avatarTrishansh Bhardwaj <tbhardwa@codeaurora.org>
parent a9eb70a3

drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c

+1 −2
Original line number Diff line number Diff line
@@ -555,8 +555,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, 
				sizeof(struct msm_buf_mngr_info))) {

				return -EFAULT;

			}

			MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr,

				&buf_info, sizeof(void *));

			k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;

			argp = &k_ioctl;

			rc = msm_cam_buf_mgr_ops(cmd, argp);

			}