--- /dev/null
+From da05d52d2f0f6bd61094a0cd045fed94bf7d673a Mon Sep 17 00:00:00 2001
+From: Prabhakar Lad <prabhakar.csengg@gmail.com>
+Date: Thu, 20 Jul 2017 08:02:09 -0400
+Subject: media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl
+
+From: Prabhakar Lad <prabhakar.csengg@gmail.com>
+
+commit da05d52d2f0f6bd61094a0cd045fed94bf7d673a upstream.
+
+this patch makes sure VPFE_CMD_S_CCDC_RAW_PARAMS ioctl no longer works
+for vpfe_capture driver with a minimal patch suitable for backporting.
+
+- This ioctl was never in public api and was only defined in kernel header.
+- The function set_params constantly mixes up pointers and phys_addr_t
+ numbers.
+- This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is
+ described as an 'experimental ioctl that will change in future kernels'.
+- The code to allocate the table never gets called after we copy_from_user
+ the user input over the kernel settings, and then compare them
+ for inequality.
+- We then go on to use an address provided by user space as both the
+ __user pointer for input and pass it through phys_to_virt to come up
+ with a kernel pointer to copy the data to. This looks like a trivially
+ exploitable root hole.
+
+Due to these reasons we make sure this ioctl now returns -EINVAL and backport
+this patch as far as possible.
+
+Fixes: 5f15fbb68fd7 ("V4L/DVB (12251): v4l: dm644x ccdc module for vpfe capture driver")
+
+Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/davinci/vpfe_capture.c | 22 ++--------------------
+ 1 file changed, 2 insertions(+), 20 deletions(-)
+
+--- a/drivers/media/platform/davinci/vpfe_capture.c
++++ b/drivers/media/platform/davinci/vpfe_capture.c
+@@ -1725,27 +1725,9 @@ static long vpfe_param_handler(struct fi
+
+ switch (cmd) {
+ case VPFE_CMD_S_CCDC_RAW_PARAMS:
++ ret = -EINVAL;
+ v4l2_warn(&vpfe_dev->v4l2_dev,
+- "VPFE_CMD_S_CCDC_RAW_PARAMS: experimental ioctl\n");
+- if (ccdc_dev->hw_ops.set_params) {
+- ret = ccdc_dev->hw_ops.set_params(param);
+- if (ret) {
+- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
+- "Error setting parameters in CCDC\n");
+- goto unlock_out;
+- }
+- ret = vpfe_get_ccdc_image_format(vpfe_dev,
+- &vpfe_dev->fmt);
+- if (ret < 0) {
+- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
+- "Invalid image format at CCDC\n");
+- goto unlock_out;
+- }
+- } else {
+- ret = -EINVAL;
+- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
+- "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n");
+- }
++ "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n");
+ break;
+ default:
+ ret = -ENOTTY;
projects / thirdparty / kernel / stable-queue.git / commitdiff
