| Message ID | 1365739077-8740-1-git-send-email-sw0312.kim@samsung.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 4/12/2013 5:57 AM, Seung-Woo Kim wrote: > The length of mmap() can be bigger than length of vb2 buffer, so > it should be checked. > > Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> Acked-by: Marek Szyprowski <m.szyprowski@samsung.com> > --- > drivers/media/v4l2-core/videobuf2-core.c | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c > index db1235d..2c6ff2d 100644 > --- a/drivers/media/v4l2-core/videobuf2-core.c > +++ b/drivers/media/v4l2-core/videobuf2-core.c > @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma) > > vb = q->bufs[buffer]; > > + if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) { > + dprintk(1, "Invalid length\n"); > + return -EINVAL; > + } > + > ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma); > if (ret) > return ret; Best regards
On Friday 12 April 2013 08:03:15 Marek Szyprowski wrote: > On 4/12/2013 5:57 AM, Seung-Woo Kim wrote: > > The length of mmap() can be bigger than length of vb2 buffer, so > > it should be checked. > > > > Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> > > Acked-by: Marek Szyprowski <m.szyprowski@samsung.com> This should be pushed to the stable kernels, as it's a potential security issue. > > --- > > > > drivers/media/v4l2-core/videobuf2-core.c | 5 +++++ > > 1 files changed, 5 insertions(+), 0 deletions(-) > > > > diff --git a/drivers/media/v4l2-core/videobuf2-core.c > > b/drivers/media/v4l2-core/videobuf2-core.c index db1235d..2c6ff2d 100644 > > --- a/drivers/media/v4l2-core/videobuf2-core.c > > +++ b/drivers/media/v4l2-core/videobuf2-core.c > > @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct > > vm_area_struct *vma)> > > vb = q->bufs[buffer]; > > > > + if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) { > > + dprintk(1, "Invalid length\n"); > > + return -EINVAL; > > + } > > + > > > > ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma); > > if (ret) > > > > return ret;
Oops, there is a issue. vb2-core does not PAGE_ALIGN to length of buffer, but mmap() always do PAGE_ALIGN to its length. So non PAGE_ALIGN length of buffer from driver side can not mmaped with this patch. On 2013? 04? 12? 15:03, Marek Szyprowski wrote: > > On 4/12/2013 5:57 AM, Seung-Woo Kim wrote: >> The length of mmap() can be bigger than length of vb2 buffer, so >> it should be checked. >> >> Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> > > Acked-by: Marek Szyprowski <m.szyprowski@samsung.com> > >> --- >> drivers/media/v4l2-core/videobuf2-core.c | 5 +++++ >> 1 files changed, 5 insertions(+), 0 deletions(-) >> >> diff --git a/drivers/media/v4l2-core/videobuf2-core.c >> b/drivers/media/v4l2-core/videobuf2-core.c >> index db1235d..2c6ff2d 100644 >> --- a/drivers/media/v4l2-core/videobuf2-core.c >> +++ b/drivers/media/v4l2-core/videobuf2-core.c >> @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct >> vm_area_struct *vma) >> vb = q->bufs[buffer]; >> + if (vb->v4l2_planes[plane].length < (vma->vm_end - >> vma->vm_start)) { >> + dprintk(1, "Invalid length\n"); >> + return -EINVAL; >> + } >> + >> ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma); >> if (ret) >> return ret; > > Best regards
diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c index db1235d..2c6ff2d 100644 --- a/drivers/media/v4l2-core/videobuf2-core.c +++ b/drivers/media/v4l2-core/videobuf2-core.c @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma) vb = q->bufs[buffer]; + if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) { + dprintk(1, "Invalid length\n"); + return -EINVAL; + } + ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma); if (ret) return ret;
The length of mmap() can be bigger than length of vb2 buffer, so it should be checked. Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> --- drivers/media/v4l2-core/videobuf2-core.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-)