Commit 85966610 authored Jul 07, 2015 by Rajakumar Govindaram Committed by Krishnankutty Kolathappilly Jul 14, 2015

msm: camera2: cpp: Avoid incorrect argument access in IOCTL



The command MSM_SD_SHUTDOWN is used for internal sub-devices
communication from camera node. The argument in this command
is different from other commands. This change handles the
command MSM_SD_SHUTDOWN separately from other commands for
input argument validation.

BUG: KASan: out of bounds on stack in
 msm_cpp_subdev_ioctl+0xf8/0x17d4 at addr ffffffc052e2f9c8
Read of size 8 by task mm-qcamera-daem/868
page:ffffffbb07d36be8 count:0 mapcount:0 mapping:
(null) index:0x0 flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 2 PID: 868 Comm: mm-qcamera-daem Tainted:
 G        W      3.18.0-g4d43ecd-dirty #5
Hardware name: Qualcomm Technologies, Inc.
 MSM 8996 v2 + PMI8994 MTP (DT)
Call trace:
[<ffffffc000089c70>] dump_backtrace+0x0/0x1c4
[<ffffffc000089e44>] show_stack+0x10/0x1c
[<ffffffc0010cadfc>] dump_stack+0x74/0xc8
[<ffffffc00020e360>] kasan_report_error+0x2ac/0x3d0
[<ffffffc00020e560>] kasan_report+0x34/0x40
[<ffffffc00020d520>] __asan_load8+0x84/0x90
[<ffffffc000a281f4>] msm_cpp_subdev_ioctl+0xf4/0x17d4
[<ffffffc0009edb3c>] msm_close+0x16c/0x274
[<ffffffc0009645b4>] v4l2_release+0x44/0xa8
[<ffffffc0002194c8>] __fput+0x17c/0x2a4
[<ffffffc000219650>] ____fput+0x8/0x14
[<ffffffc0000ce140>] task_work_run+0x100/0x138
[<ffffffc0000ab054>] do_exit+0x64c/0xdcc
[<ffffffc0000ace98>] do_group_exit+0x84/0x120
[<ffffffc0000bc288>] get_signal+0x6f8/0x750
[<ffffffc000088e34>] do_signal+0x118/0x700
[<ffffffc00008971c>] do_notify_resume+0x14/0x6c
Memory state around the buggy address:
 ffffffc052e2f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc052e2f900: 00 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
>ffffffc052e2f980: 00 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00
                                              ^
 ffffffc052e2fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc052e2fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Change-Id: Ia4b69c29ab6cb36e7a1f477fd0e08ce0884aacb6
Signed-off-by: Rajakumar Govindaram <rajakuma@codeaurora.org>
Signed-off-by: Krishnankutty Kolathappilly <kkolatha@codeaurora.org>

parent f47b4920

drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c

+32 −4

Original line number	Diff line number	Diff line
		@@ -2399,16 +2399,39 @@ static void msm_cpp_fw_version(struct cpp_device *cpp_dev)
		msm_cpp_poll(cpp_dev->base, MSM_CPP_MSG_ID_TRAILER);
		}

		static int msm_cpp_validate_input(unsigned int cmd, void *arg,
		struct msm_camera_v4l2_ioctl_t **ioctl_ptr)
		{
		switch (cmd) {
		case MSM_SD_SHUTDOWN:
		break;
		default: {
		if (ioctl_ptr == NULL) {
		pr_err("Wrong ioctl_ptr %p\n", ioctl_ptr);
		return -EINVAL;
		}

		*ioctl_ptr = arg;
		if ((*ioctl_ptr == NULL) \|\|
		((*ioctl_ptr)->ioctl_ptr == NULL)) {
		pr_err("Wrong arg %p\n", arg);
		return -EINVAL;
		}
		break;
		}
		}
		return 0;
		}

		long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
		unsigned int cmd, void *arg)
		{
		struct cpp_device *cpp_dev = NULL;
		struct msm_camera_v4l2_ioctl_t *ioctl_ptr = arg;
		struct msm_camera_v4l2_ioctl_t *ioctl_ptr = NULL;
		int rc = 0;

		if ((sd == NULL) \|\| (ioctl_ptr == NULL) \|\|
		(ioctl_ptr->ioctl_ptr == NULL)) {
		pr_err("Wrong ioctl_ptr %p, sd %p\n", ioctl_ptr, sd);
		if (sd == NULL) {
		pr_err("sd %p\n", sd);
		return -EINVAL;
		}
		cpp_dev = v4l2_get_subdevdata(sd);
		@@ -2416,6 +2439,11 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
		pr_err("cpp_dev is null\n");
		return -EINVAL;
		}
		rc = msm_cpp_validate_input(cmd, arg, &ioctl_ptr);
		if (rc != 0) {
		pr_err("input validation failed\n");
		return rc;
		}
		mutex_lock(&cpp_dev->mutex);
		CPP_DBG("E cmd: 0x%x\n", cmd);
		switch (cmd) {