From: Greg Kroah-Hartman Date: Mon, 7 Aug 2017 22:16:35 +0000 (-0700) Subject: 3.18-stable patches X-Git-Tag: v4.12.6~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=31dfd96a8cb2623fde1ba828f9cea22bc1615921;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: media-platform-davinci-return-einval-for-vpfe_cmd_s_ccdc_raw_params-ioctl.patch --- diff --git a/queue-3.18/media-platform-davinci-return-einval-for-vpfe_cmd_s_ccdc_raw_params-ioctl.patch b/queue-3.18/media-platform-davinci-return-einval-for-vpfe_cmd_s_ccdc_raw_params-ioctl.patch new file mode 100644 index 00000000000..4ad81e50755 --- /dev/null +++ b/queue-3.18/media-platform-davinci-return-einval-for-vpfe_cmd_s_ccdc_raw_params-ioctl.patch @@ -0,0 +1,71 @@ +From da05d52d2f0f6bd61094a0cd045fed94bf7d673a Mon Sep 17 00:00:00 2001 +From: Prabhakar Lad +Date: Thu, 20 Jul 2017 08:02:09 -0400 +Subject: media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl + +From: Prabhakar Lad + +commit da05d52d2f0f6bd61094a0cd045fed94bf7d673a upstream. + +this patch makes sure VPFE_CMD_S_CCDC_RAW_PARAMS ioctl no longer works +for vpfe_capture driver with a minimal patch suitable for backporting. + +- This ioctl was never in public api and was only defined in kernel header. +- The function set_params constantly mixes up pointers and phys_addr_t + numbers. +- This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is + described as an 'experimental ioctl that will change in future kernels'. +- The code to allocate the table never gets called after we copy_from_user + the user input over the kernel settings, and then compare them + for inequality. +- We then go on to use an address provided by user space as both the + __user pointer for input and pass it through phys_to_virt to come up + with a kernel pointer to copy the data to. This looks like a trivially + exploitable root hole. + +Due to these reasons we make sure this ioctl now returns -EINVAL and backport +this patch as far as possible. + +Fixes: 5f15fbb68fd7 ("V4L/DVB (12251): v4l: dm644x ccdc module for vpfe capture driver") + +Signed-off-by: Lad, Prabhakar +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/davinci/vpfe_capture.c | 22 ++-------------------- + 1 file changed, 2 insertions(+), 20 deletions(-) + +--- a/drivers/media/platform/davinci/vpfe_capture.c ++++ b/drivers/media/platform/davinci/vpfe_capture.c +@@ -1706,27 +1706,9 @@ static long vpfe_param_handler(struct fi + + switch (cmd) { + case VPFE_CMD_S_CCDC_RAW_PARAMS: ++ ret = -EINVAL; + v4l2_warn(&vpfe_dev->v4l2_dev, +- "VPFE_CMD_S_CCDC_RAW_PARAMS: experimental ioctl\n"); +- if (ccdc_dev->hw_ops.set_params) { +- ret = ccdc_dev->hw_ops.set_params(param); +- if (ret) { +- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, +- "Error setting parameters in CCDC\n"); +- goto unlock_out; +- } +- ret = vpfe_get_ccdc_image_format(vpfe_dev, +- &vpfe_dev->fmt); +- if (ret < 0) { +- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, +- "Invalid image format at CCDC\n"); +- goto unlock_out; +- } +- } else { +- ret = -EINVAL; +- v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev, +- "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); +- } ++ "VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n"); + break; + default: + ret = -ENOTTY; diff --git a/queue-3.18/series b/queue-3.18/series index 16b35787bed..87d85e99c88 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -61,3 +61,4 @@ kvm-async_pf-make-rcu-irq-exit-if-not-triggered-from-idle-task.patch mm-page_alloc-remove-kernel-address-exposure-in-free_reserved_area.patch ext4-fix-seek_hole-seek_data-for-blocksize-pagesize.patch ext4-fix-overflow-caused-by-missing-cast-in-ext4_resize_fs.patch +media-platform-davinci-return-einval-for-vpfe_cmd_s_ccdc_raw_params-ioctl.patch