From patchwork Fri Apr 12 03:57:57 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seung-Woo Kim X-Patchwork-Id: 2434021 Return-Path: X-Original-To: patchwork-linux-media@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork1.kernel.org (Postfix) with ESMTP id 6B93D3FD1A for ; Fri, 12 Apr 2013 03:57:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752280Ab3DLD5s (ORCPT ); Thu, 11 Apr 2013 23:57:48 -0400 Received: from mailout1.samsung.com ([203.254.224.24]:65132 "EHLO mailout1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751736Ab3DLD5r (ORCPT ); Thu, 11 Apr 2013 23:57:47 -0400 Received: from epcpsbgr3.samsung.com (u143.gpu120.samsung.co.kr [203.254.230.143]) by mailout1.samsung.com (Oracle Communications Messaging Server 7u4-24.01 (7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTP id <0ML4002FWJ00JAD0@mailout1.samsung.com> for linux-media@vger.kernel.org; Fri, 12 Apr 2013 12:57:46 +0900 (KST) Received: from epcpsbgm1.samsung.com ( [172.20.52.112]) by epcpsbgr3.samsung.com (EPCPMTA) with SMTP id 1B.C4.05174.A3687615; Fri, 12 Apr 2013 12:57:46 +0900 (KST) X-AuditID: cbfee68f-b7f4a6d000001436-7f-5167863abf88 Received: from epmmp1.local.host ( [203.254.227.16]) by epcpsbgm1.samsung.com (EPCPMTA) with SMTP id 69.12.17838.93687615; Fri, 12 Apr 2013 12:57:46 +0900 (KST) Received: from localhost.localdomain ([10.90.8.56]) by mmp1.samsung.com (Oracle Communications Messaging Server 7u4-24.01 (7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTPA id <0ML400K7QJ072080@mmp1.samsung.com>; Fri, 12 Apr 2013 12:57:45 +0900 (KST) From: Seung-Woo Kim To: linux-media@vger.kernel.org Cc: mchehab@redhat.com, m.szyprowski@samsung.com, pawel@osciak.com, kyungmin.park@samsung.com, sw0312.kim@samsung.com Subject: [PATCH] media: vb2: add length check for mmap Date: Fri, 12 Apr 2013 12:57:57 +0900 Message-id: <1365739077-8740-1-git-send-email-sw0312.kim@samsung.com> X-Mailer: git-send-email 1.7.4.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrILMWRmVeSWpSXmKPExsWyRsSkQNeqLT3QYPURDouzTW/YLXo2bGW1 WHvkLrvFnqOH2S2mvP3JbjFj8ks2BzaPx79esnm833eVzaNvyypGj8+b5AJYorhsUlJzMstS i/TtErgybqycyl5wlq1i8eHFzA2Mh1i7GDk5JARMJE4cP8EEYYtJXLi3nq2LkYtDSGApo8Th ztfMXYwcYEUHv+VCxBcxSsy8f4QFpEFIoJlJYsbDPBCbTUBHYv+S32BDRQTkJZ703mADsZkF yiVe7j8LtkBYwEziVt9bFpCZLAKqEjdmaoKEeQVcJdqX90LdoCCx4N5bNgj7N5vEnFu6IDaL gIDEt8mHWCDOkZXYdIAZokRS4uCKGywTGAUXMDKsYhRNLUguKE5KLzLWK07MLS7NS9dLzs/d xAgMztP/nvXvYLx7wPoQYzLQuInMUqLJ+cDgziuJNzQ2M7IwNTE1NjK3NCNNWEmcV63FOlBI ID2xJDU7NbUgtSi+qDQntfgQIxMHp1QD4zS1j0fUWtnPmTzv0Hj20MZ9ceYunnk6eqIPuW8W eWuFvblyvPR9yYJ917SETxeb9DnU3M9KKZ4tEeX5Z0KV87vgfDH2ZxULZFybrFcXeBzf1jVL quzRzz8f9xz/FxnDPvdfz9ZrxZOcpI9+c5aNXavgseV5pqcvl4xfRJneT0fZQ4K3qjYtUGIp zkg01GIuKk4EACEhlDFkAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrPIsWRmVeSWpSXmKPExsVy+t9jAV2rtvRAgzd/GC3ONr1ht+jZsJXV Yu2Ru+wWe44eZreY8vYnu8WMyS/ZHNg8Hv96yebxft9VNo++LasYPT5vkgtgiWpgtMlITUxJ LVJIzUvOT8nMS7dV8g6Od443NTMw1DW0tDBXUshLzE21VXLxCdB1y8wB2q6kUJaYUwoUCkgs LlbSt8M0ITTETdcCpjFC1zckCK7HyAANJKxhzLixcip7wVm2isWHFzM3MB5i7WLk4JAQMJE4 +C23i5ETyBSTuHBvPVsXIxeHkMAiRomZ94+wgCSEBJqZJGY8zAOx2QR0JPYv+c0KYosIyEs8 6b3BBmIzC5RLvNx/lgnEFhYwk7jV95YFZD6LgKrEjZmaIGFeAVeJ9uW9TBC7FCQW3HvLNoGR ewEjwypG0dSC5ILipPRcQ73ixNzi0rx0veT83E2M4OB/JrWDcWWDxSFGAQ5GJR7eF8LpgUKs iWXFlbmHGCU4mJVEeGP2pgUK8aYkVlalFuXHF5XmpBYfYkwGWj6RWUo0OR8YmXkl8YbGJmZG lkbmhhZGxuakCSuJ8x5otQ4UEkhPLEnNTk0tSC2C2cLEwSnVwLj30cZzLkJ7VlyXUNioK+b6 wHpmcY9G+q5jJ8Pf38/M+K6QGh+8UXWGqbRK72n1r7umP9hzQo9HaM2n6hbN/Y5GT/nvFJW/ n3jS/eWhpfIFUW/7gtW3K6kwxntPubR2fXTRN4nXRm+vZj3eU1P672aIope74ZYZ7f8fWcnG hq1N/nLJhlO4+qUSS3FGoqEWc1FxIgAxmj17wgIAAA== DLP-Filter: Pass X-MTR: 20000000000000000@CPGS X-CFilter-Loop: Reflected Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The length of mmap() can be bigger than length of vb2 buffer, so it should be checked. Signed-off-by: Seung-Woo Kim Acked-by: Marek Szyprowski --- drivers/media/v4l2-core/videobuf2-core.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c index db1235d..2c6ff2d 100644 --- a/drivers/media/v4l2-core/videobuf2-core.c +++ b/drivers/media/v4l2-core/videobuf2-core.c @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma) vb = q->bufs[buffer]; + if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) { + dprintk(1, "Invalid length\n"); + return -EINVAL; + } + ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma); if (ret) return ret;