From patchwork Fri May 30 23:26:38 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
X-Patchwork-Id: 4274511
Return-Path: <linux-media-owner@kernel.org>
X-Original-To: patchwork-linux-media@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id E1F53BEEA7
	for <patchwork-linux-media@patchwork.kernel.org>;
	Fri, 30 May 2014 23:26:44 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 1746D20397
	for <patchwork-linux-media@patchwork.kernel.org>;
	Fri, 30 May 2014 23:26:44 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 2B118202E6
	for <patchwork-linux-media@patchwork.kernel.org>;
	Fri, 30 May 2014 23:26:43 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756146AbaE3X0l (ORCPT
	<rfc822;patchwork-linux-media@patchwork.kernel.org>);
	Fri, 30 May 2014 19:26:41 -0400
Received: from mout.kundenserver.de ([212.227.17.10]:54606 "EHLO
	mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751491AbaE3X0k (ORCPT
	<rfc822;linux-media@vger.kernel.org>);
	Fri, 30 May 2014 19:26:40 -0400
Received: from axis700.grange (dslb-088-076-023-045.pools.arcor-ip.net
	[88.76.23.45])
	by mrelayeu.kundenserver.de (node=mreue102) with ESMTP (Nemesis)
	id 0LrbAL-1Wgb0V3mPt-013QFJ; Sat, 31 May 2014 01:26:39 +0200
Received: by axis700.grange (Postfix, from userid 1000)
	id 87F2340BDB; Sat, 31 May 2014 01:26:38 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by axis700.grange (Postfix) with ESMTP id 7F5FF40BD9;
	Sat, 31 May 2014 01:26:38 +0200 (CEST)
Date: Sat, 31 May 2014 01:26:38 +0200 (CEST)
From: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
X-X-Sender: lyakh@axis700.grange
To: Linux Media Mailing List <linux-media@vger.kernel.org>
cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Subject: [PATCH] V4L2: fix VIDIOC_CREATE_BUFS 32-bit compatibility mode data
	copy-back
Message-ID: <Pine.LNX.4.64.1405310125260.17582@axis700.grange>
MIME-Version: 1.0
X-Provags-ID: V02:K0:MFJRePsFVM6to60PVh/1w6LZtjogkBhQB+8WilzVQyY
	TNpY3UcmOJQVA/C+MUCLpM3itfiHiVto/oPktpR8RKSbknFup/
	kJMidEdI+9l8KIjpK4iS+On4YO0QPc0EWJji92Sfbvh9HUhYFu
	IF/kialupW7wA40maX5jkSgPT2TcJYpZ90NPVKvQGj8dWav8NC
	2dEiMWsrTo02s4P1iflVrKV872Fhh00Y7lA26rGauAv/hENiJ/
	lRxcIZEmlPOJr59nB30+iGD4Ai+4MixeNN1pqleMh0rC2VCMBl
	QEdVx8wyQK6Pnw8KEmNfMvKDANAK0Ax+/LuhkAT1urPnrIUNIZ
	YvTwuemjMJ+7vqqrQTclz8SyMPQZ3vUUwGV3HWWuPp+Dv3ZfbJ
	JImic2w1+5xtw==
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Similar to an earlier patch, fixing reading user-space data for the
VIDIOC_CREATE_BUFS ioctl() in 32-bit compatibility mode, this patch fixes
writing back of the possibly modified struct to the user. However, unlike
the former bug, this one is much less harmful, because it only results in
the kernel failing to write the .type field back to the user, but in fact
this is likely unneeded, because the kernel will hardly want to change
that field. Therefore this bug is more of a theoretical nature.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---

Not tested yet, I'll (try not to forget to) test it next week.

 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index 7e2411c..c86a7e8 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -222,6 +222,9 @@ static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_
 
 static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
 {
+	if (put_user(kp->type, &up->type))
+		return -EFAULT;
+
 	switch (kp->type) {
 	case V4L2_BUF_TYPE_VIDEO_CAPTURE:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT:
@@ -248,8 +251,7 @@ static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __us
 
 static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
 {
-	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32)) ||
-		put_user(kp->type, &up->type))
+	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32)))
 		return -EFAULT;
 	return __put_v4l2_format32(kp, up);
 }
@@ -257,8 +259,8 @@ static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user
 static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
 {
 	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) ||
-	    copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format.fmt)))
-			return -EFAULT;
+	    copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)))
+		return -EFAULT;
 	return __put_v4l2_format32(&kp->format, &up->format);
 }