diff options
| author | E V Ravi <evenka@codeaurora.org> | 2018-10-15 18:05:04 +0530 |
|---|---|---|
| committer | E V Ravi <evenka@codeaurora.org> | 2018-10-24 12:56:41 +0530 |
| commit | 6bf50d959e35d0c2578e4f6625bc169aed341e70 (patch) | |
| tree | 43fdc94f8ea771d0e9a30860a689e63971b2d2bb | |
| parent | 1e6aa1b4d8139a28dcefe4ecbd7492bbce26b0fd (diff) | |
msm: ais: Fix arbitrary kernel write
In 64 bit kernel and 32 bit userspace,ioctl_ptr from
kernel space, should NOT call the copy_from_user.
In 64 bit kernel and 64 bit userspace,ioctl_ptr from
user space, use the copy_from_user to copy data.
use the is_compat_task to distinguish two condition
Change-Id: Ib420168bbae1b7f950a1124f3e54b48d434952ca
Signed-off-by: E V Ravi <evenka@codeaurora.org>
| -rw-r--r-- | drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c index 66751b1f0657..db41cada4328 100644 --- a/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c +++ b/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -554,15 +554,16 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, return -EINVAL; if (!k_ioctl.ioctl_ptr) return -EINVAL; - - MSM_CAM_GET_IOCTL_ARG_PTR(&tmp, &k_ioctl.ioctl_ptr, - sizeof(tmp)); - if (copy_from_user(&buf_info, (void __user *)tmp, - sizeof(struct msm_buf_mngr_info))) { - return -EFAULT; + if (!is_compat_task()) { + MSM_CAM_GET_IOCTL_ARG_PTR(&tmp, + &k_ioctl.ioctl_ptr, sizeof(tmp)); + if (copy_from_user(&buf_info, + (void __user *)tmp, + sizeof(struct msm_buf_mngr_info))) { + return -EFAULT; + } + k_ioctl.ioctl_ptr = (uintptr_t)&buf_info; } - k_ioctl.ioctl_ptr = (uintptr_t)&buf_info; - argp = (void *)&k_ioctl; rc = msm_cam_buf_mgr_ops(cmd, argp); } |