Message ID | 1396254188-7277-1-git-send-email-sakari.ailus@linux.intel.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Hi Sakari, Thank you for the patch. On Monday 31 March 2014 11:23:08 Sakari Ailus wrote: > VIDIOC_SUBDEV_[GS]_FRAME_INTERVAL IOCTLs argument structs contain the pad > field but the validity check was missing. There should be no implications > security-wise from this since no driver currently uses the pad field in the > struct. > > Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > --- > drivers/media/v4l2-core/v4l2-subdev.c | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/v4l2-core/v4l2-subdev.c > b/drivers/media/v4l2-core/v4l2-subdev.c index aea84ac..0ed4c5b 100644 > --- a/drivers/media/v4l2-core/v4l2-subdev.c > +++ b/drivers/media/v4l2-core/v4l2-subdev.c > @@ -305,11 +305,23 @@ static long subdev_do_ioctl(struct file *file, > unsigned int cmd, void *arg) fse); > } > > - case VIDIOC_SUBDEV_G_FRAME_INTERVAL: > + case VIDIOC_SUBDEV_G_FRAME_INTERVAL: { > + struct v4l2_subdev_frame_interval *fi = arg; > + > + if (fi->pad >= sd->entity.num_pads) > + return -EINVAL; > + > return v4l2_subdev_call(sd, video, g_frame_interval, arg); > + } > + > + case VIDIOC_SUBDEV_S_FRAME_INTERVAL: { > + struct v4l2_subdev_frame_interval *fi = arg; > + > + if (fi->pad >= sd->entity.num_pads) > + return -EINVAL; > > - case VIDIOC_SUBDEV_S_FRAME_INTERVAL: > return v4l2_subdev_call(sd, video, s_frame_interval, arg); > + } > > case VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL: { > struct v4l2_subdev_frame_interval_enum *fie = arg;
Laurent Pinchart wrote: > Hi Sakari, > > Thank you for the patch. > > On Monday 31 March 2014 11:23:08 Sakari Ailus wrote: >> VIDIOC_SUBDEV_[GS]_FRAME_INTERVAL IOCTLs argument structs contain the pad >> field but the validity check was missing. There should be no implications >> security-wise from this since no driver currently uses the pad field in the >> struct. >> >> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> > > Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Mauro has already pulled the set which this patch was a part of. Good that no problems were found. Thanks. :-)
diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c index aea84ac..0ed4c5b 100644 --- a/drivers/media/v4l2-core/v4l2-subdev.c +++ b/drivers/media/v4l2-core/v4l2-subdev.c @@ -305,11 +305,23 @@ static long subdev_do_ioctl(struct file *file, unsigned int cmd, void *arg) fse); } - case VIDIOC_SUBDEV_G_FRAME_INTERVAL: + case VIDIOC_SUBDEV_G_FRAME_INTERVAL: { + struct v4l2_subdev_frame_interval *fi = arg; + + if (fi->pad >= sd->entity.num_pads) + return -EINVAL; + return v4l2_subdev_call(sd, video, g_frame_interval, arg); + } + + case VIDIOC_SUBDEV_S_FRAME_INTERVAL: { + struct v4l2_subdev_frame_interval *fi = arg; + + if (fi->pad >= sd->entity.num_pads) + return -EINVAL; - case VIDIOC_SUBDEV_S_FRAME_INTERVAL: return v4l2_subdev_call(sd, video, s_frame_interval, arg); + } case VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL: { struct v4l2_subdev_frame_interval_enum *fie = arg;
VIDIOC_SUBDEV_[GS]_FRAME_INTERVAL IOCTLs argument structs contain the pad field but the validity check was missing. There should be no implications security-wise from this since no driver currently uses the pad field in the struct. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> --- drivers/media/v4l2-core/v4l2-subdev.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-)