From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Lad,
Prabhakar" <prabhakar.csengg@gmail.com>,
Hans Verkuil <hans.verkuil@cisco.com>,
Mauro Carvalho Chehab <mchehab@s-opensource.com>
Subject: [PATCH 4.12 047/106] media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl
Date: Wed, 9 Aug 2017 09:52:31 -0700 [thread overview]
Message-ID: <20170809164522.930929317@linuxfoundation.org> (raw)
In-Reply-To: <20170809164515.714288642@linuxfoundation.org>
4.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prabhakar Lad <prabhakar.csengg@gmail.com>
commit da05d52d2f0f6bd61094a0cd045fed94bf7d673a upstream.
this patch makes sure VPFE_CMD_S_CCDC_RAW_PARAMS ioctl no longer works
for vpfe_capture driver with a minimal patch suitable for backporting.
- This ioctl was never in public api and was only defined in kernel header.
- The function set_params constantly mixes up pointers and phys_addr_t
numbers.
- This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is
described as an 'experimental ioctl that will change in future kernels'.
- The code to allocate the table never gets called after we copy_from_user
the user input over the kernel settings, and then compare them
for inequality.
- We then go on to use an address provided by user space as both the
__user pointer for input and pass it through phys_to_virt to come up
with a kernel pointer to copy the data to. This looks like a trivially
exploitable root hole.
Due to these reasons we make sure this ioctl now returns -EINVAL and backport
this patch as far as possible.
Fixes: 5f15fbb68fd7 ("V4L/DVB (12251): v4l: dm644x ccdc module for vpfe capture driver")
Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/davinci/vpfe_capture.c | 22 ++--------------------
1 file changed, 2 insertions(+), 20 deletions(-)
--- a/drivers/media/platform/davinci/vpfe_capture.c
+++ b/drivers/media/platform/davinci/vpfe_capture.c
@@ -1719,27 +1719,9 @@ static long vpfe_param_handler(struct fi
switch (cmd) {
case VPFE_CMD_S_CCDC_RAW_PARAMS:
+ ret = -EINVAL;
v4l2_warn(&vpfe_dev->v4l2_dev,
- "VPFE_CMD_S_CCDC_RAW_PARAMS: experimental ioctl\n");
- if (ccdc_dev->hw_ops.set_params) {
- ret = ccdc_dev->hw_ops.set_params(param);
- if (ret) {
- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
- "Error setting parameters in CCDC\n");
- goto unlock_out;
- }
- ret = vpfe_get_ccdc_image_format(vpfe_dev,
- &vpfe_dev->fmt);
- if (ret < 0) {
- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
- "Invalid image format at CCDC\n");
- goto unlock_out;
- }
- } else {
- ret = -EINVAL;
- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
- "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n");
- }
+ "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n");
break;
default:
ret = -ENOTTY;
next prev parent reply other threads:[~2017-08-09 16:55 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-09 16:51 [PATCH 4.12 000/106] 4.12.6-stable review Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 001/106] parisc: Increase thread and stack size to 32kb Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 002/106] parisc: Handle vmas whose context is not current in flush_cache_range Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 003/106] scsi: lpfc: fix linking against modular NVMe support Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 004/106] scsi: sg: fix SG_DXFER_FROM_DEV transfers Greg Kroah-Hartman
2017-08-10 6:14 ` Johannes Thumshirn
2017-08-10 15:11 ` Greg Kroah-Hartman
2017-08-11 7:14 ` Johannes Thumshirn
2017-08-11 15:30 ` Greg Kroah-Hartman
2017-08-11 19:36 ` Greg Kroah-Hartman
2017-08-10 8:09 ` Chris Clayton
2017-08-09 16:51 ` [PATCH 4.12 005/106] ACPI / LPSS: Only call pwm_add_table() for the first PWM controller Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 006/106] cgroup: dont call migration methods if there are no tasks to migrate Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 007/106] cgroup: create dfl_root files on subsys registration Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 008/106] cgroup: fix error return value from cgroup_subtree_control() Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 009/106] libata: array underflow in ata_find_dev() Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 010/106] workqueue: restore WQ_UNBOUND/max_active==1 to be ordered Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 011/106] iwlwifi: dvm: prevent an out of bounds access Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 012/106] brcmfmac: fix memleak due to calling brcmf_sdiod_sgtable_alloc() twice Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 013/106] NFSv4: Fix EXCHANGE_ID corrupt verifier issue Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 014/106] mmc: sdhci-of-at91: force card detect value for non removable devices Greg Kroah-Hartman
2017-08-09 16:51 ` [PATCH 4.12 015/106] mmc: core: Use device_property_read instead of of_property_read Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 016/106] mmc: dw_mmc: " Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 017/106] mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 018/106] mm/hugetlb.c: __get_user_pages ignores certain follow_hugetlb_page errors Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 019/106] userfaultfd: non-cooperative: notify about unmap of destination during mremap Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 020/106] userfaultfd_zeropage: return -ENOSPC in case mm has gone Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 021/106] userfaultfd: non-cooperative: flush event_wqh at release time Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 022/106] cpuset: fix a deadlock due to incomplete patching of cpusets_enabled() Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 023/106] ocfs2: dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 024/106] ALSA: hda - Fix speaker output from VAIO VPCL14M1R Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 027/106] ASoC: fix pcm-creation regression Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 028/106] ASoC: ux500: Restore platform DAI assignments Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 029/106] ASoC: do not close shared backend dailink Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 030/106] KVM: arm/arm64: Handle hva aging while destroying the vm Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 032/106] timers: Fix overflow in get_next_timer_interrupt Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 033/106] powerpc/tm: Fix saving of TM SPRs in core dump Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 034/106] powerpc/64: Fix __check_irq_replay missing decrementer interrupt Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 035/106] iommu/amd: Enable ga_log_intr when enabling guest_mode Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 036/106] ARM64: dts: marvell: armada-37xx: Fix the number of GPIO on south bridge Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 037/106] gpiolib: skip unwanted events, dont convert them to opposite edge Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 038/106] ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 039/106] ext4: fix overflow caused by missing cast in ext4_resize_fs() Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 041/106] clk: sunxi-ng: sun5i: Add clk_set_rate_parent to the CPU clock Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 042/106] ARM: mvebu: use __pa_symbol in the mv98dx3236 platform SMP code Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 043/106] ARM: dts: armada-38x: Fix irq type for pca955 Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 044/106] ARM: dts: tango4: Request RGMII RX and TX clock delays Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 045/106] media: pulse8-cec: persistent_config should be off by default Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 046/106] media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds Greg Kroah-Hartman
2017-08-09 16:52 ` Greg Kroah-Hartman [this message]
2017-08-09 16:52 ` [PATCH 4.12 048/106] [media] ir-spi: Fix issues with lirc API Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 049/106] tcmu: Fix flushing cmd entry dcache page Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 050/106] tcmu: Fix possbile memory leak / OOPs when recalculating cmd base size Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 052/106] ext4: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 053/106] Btrfs: fix early ENOSPC due to delalloc Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 054/106] blk-mq: Include all present CPUs in the default queue mapping Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 055/106] blk-mq: Create hctx for each present CPU Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 056/106] block: disable runtime-pm for blk-mq Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 057/106] [media] saa7164: fix double fetch PCIe access condition Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 058/106] sctp: fix an array overflow when all ext chunks are set Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 059/106] tcp_bbr: cut pacing rate only if filled pipe Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 060/106] tcp_bbr: introduce bbr_bw_to_pacing_rate() helper Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 061/106] tcp_bbr: introduce bbr_init_pacing_rate_from_rtt() helper Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 062/106] tcp_bbr: remove sk_pacing_rate=0 transient during init Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 063/106] tcp_bbr: init pacing rate on first RTT sample Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 064/106] ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check() Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 065/106] wireless: wext: terminate ifr name coming from userspace Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 066/106] net: Zero terminate ifr_name in dev_ifname() Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 068/106] Revert "rtnetlink: Do not generate notifications for CHANGEADDR event" Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 069/106] ipv6: avoid overflow of offset in ip6_find_1stfragopt Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 070/106] net: dsa: b53: Add missing ARL entries for BCM53125 Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 071/106] ipv4: initialize fib_trie prior to register_netdev_notifier call Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 072/106] rtnetlink: allocate more memory for dev_set_mac_address() Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 073/106] net: bonding: Fix transmit load balancing in balance-alb mode Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 074/106] mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled Greg Kroah-Hartman
2017-08-09 16:52 ` [PATCH 4.12 075/106] openvswitch: fix potential out of bound access in parse_ct Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 076/106] packet: fix use-after-free in prb_retire_rx_blk_timer_expired() Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 077/106] ipv6: Dont increase IPSTATS_MIB_FRAGFAILS twice in ip6_fragment() Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 078/106] net: ethernet: nb8800: Handle all 4 RGMII modes identically Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 079/106] bonding: commit link status change after propose Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 080/106] dccp: fix a memleak that dccp_ipv6 doesnt put reqsk properly Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 081/106] dccp: fix a memleak that dccp_ipv4 " Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 082/106] dccp: fix a memleak for dccp_feat_init err process Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 083/106] net/mlx5: Consider tx_enabled in all modes on remap Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 084/106] net/mlx5: Fix command completion after timeout access invalid structure Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 085/106] net/mlx5: Fix command bad flow on command entry allocation failure Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 086/106] sctp: dont dereference ptr before leaving _sctp_walk_{params, errors}() Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 087/106] sctp: fix the check for _sctp_walk_params and _sctp_walk_errors Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 088/106] net/mlx5e: IPoIB, Modify add/remove underlay QPN flows Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 089/106] net/mlx5e: Fix outer_header_zero() check size Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 090/106] net/mlx5: Fix mlx5_ifc_mtpps_reg_bits structure size Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 091/106] net/mlx5e: Add field select to MTPPS register Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 092/106] net/mlx5e: Fix broken disable 1PPS flow Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 093/106] net/mlx5e: Change 1PPS out scheme Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 094/106] net/mlx5e: Add missing support for PTP_CLK_REQ_PPS request Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 095/106] net/mlx5e: Fix wrong delay calculation for overflow check scheduling Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 096/106] net/mlx5e: Schedule overflow check work to mlx5e workqueue Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 097/106] net/mlx5: Fix mlx5_add_flow_rules call with correct num of dests Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 098/106] udp6: fix socket leak on early demux Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 099/106] net: phy: Correctly process PHY_HALTED in phy_stop_machine() Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 101/106] virtio_net: fix truesize for mergeable buffers Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 102/106] sparc64: Measure receiver forward progress to avoid send mondo timeout Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 103/106] sparc64: Prevent perf from running during super critical sections Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 104/106] sparc64: Register hugepages during arch init Greg Kroah-Hartman
2017-08-09 16:53 ` [PATCH 4.12 105/106] sparc64: Fix exception handling in UltraSPARC-III memcpy Greg Kroah-Hartman
[not found] ` <598b71c1.82451c0a.e2f6d.b0fa@mx.google.com>
2017-08-09 21:47 ` [PATCH 4.12 000/106] 4.12.6-stable review Greg Kroah-Hartman
2017-08-10 15:41 ` Kevin Hilman
2017-08-10 0:19 ` Shuah Khan
2017-08-10 0:42 ` Guenter Roeck
2017-08-10 2:35 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170809164522.930929317@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hans.verkuil@cisco.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab@s-opensource.com \
--cc=prabhakar.csengg@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).