media: vivid: s_fbuf: add more sanity checks

[ Upstream commit f8bcaf714abfc94818dff8c0db84d750433984f4 ]

VIDIOC_S_FBUF is by definition a scary ioctl, which is why only root
can use it. But at least check if the framebuffer parameters match that
of one of the framebuffer created by vivid, and reject anything else.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: ef834f7836ec ([media] vivid: add the video capture and output parts)
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/media/platform/vivid/vivid-core.c b/drivers/media/platform/vivid/vivid-core.c
index cc71aa42559727a0aba52974936d94f83509f608..f6dc2b69b62e2b3e1562a261a8c0f22a431b4563 100644 (file)
--- a/drivers/media/platform/vivid/vivid-core.c
+++ b/drivers/media/platform/vivid/vivid-core.c
@@ -297,6 +297,28 @@ static int vidioc_g_fbuf(struct file *file, void *fh, struct v4l2_framebuffer *a
        return vivid_vid_out_g_fbuf(file, fh, a);
 }
 
+/*
+ * Only support the framebuffer of one of the vivid instances.
+ * Anything else is rejected.
+ */
+bool vivid_validate_fb(const struct v4l2_framebuffer *a)
+{
+       struct vivid_dev *dev;
+       int i;
+
+       for (i = 0; i < n_devs; i++) {
+               dev = vivid_devs[i];
+               if (!dev || !dev->video_pbase)
+                       continue;
+               if ((unsigned long)a->base == dev->video_pbase &&
+                   a->fmt.width <= dev->display_width &&
+                   a->fmt.height <= dev->display_height &&
+                   a->fmt.bytesperline <= dev->display_byte_stride)
+                       return true;
+       }
+       return false;
+}
+
 static int vidioc_s_fbuf(struct file *file, void *fh, const struct v4l2_framebuffer *a)
 {
        struct video_device *vdev = video_devdata(file);

diff --git a/drivers/media/platform/vivid/vivid-core.h b/drivers/media/platform/vivid/vivid-core.h
index 7ebb14673c759e5e8b50aa7fa12f95cf3e509de7..0ab4051327d68147a39ff3cb1c25564547bf35b0 100644 (file)
--- a/drivers/media/platform/vivid/vivid-core.h
+++ b/drivers/media/platform/vivid/vivid-core.h
@@ -564,4 +564,6 @@ static inline bool vivid_is_hdmi_out(const struct vivid_dev *dev)
        return dev->output_type[dev->output] == HDMI;
 }
 
+bool vivid_validate_fb(const struct v4l2_framebuffer *a);
+
 #endif

diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c
index 2d030732feaca52274ea417f0158781b09f4b505..fe7b8591f1133f87b39ddb9005b055b8f7f623d1 100644 (file)
--- a/drivers/media/platform/vivid/vivid-vid-cap.c
+++ b/drivers/media/platform/vivid/vivid-vid-cap.c
@@ -1250,7 +1250,14 @@ int vivid_vid_cap_s_fbuf(struct file *file, void *fh,
                return -EINVAL;
        if (a->fmt.bytesperline < (a->fmt.width * fmt->bit_depth[0]) / 8)
                return -EINVAL;
-       if (a->fmt.height * a->fmt.bytesperline < a->fmt.sizeimage)
+       if (a->fmt.bytesperline > a->fmt.sizeimage / a->fmt.height)
+               return -EINVAL;
+
+       /*
+        * Only support the framebuffer of one of the vivid instances.
+        * Anything else is rejected.
+        */
+       if (!vivid_validate_fb(a))
                return -EINVAL;
 
        dev->fb_vbase_cap = phys_to_virt((unsigned long)a->base);