From: Greg Kroah-Hartman Date: Wed, 4 Jun 2014 23:20:38 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.14.6~31 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7fd4609cf8ceab4991e4edc23feced5e9923ae90;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: media-v4l2-fix-vidioc_create_bufs-in-64-32-bit-compatibility-mode.patch media-v4l2-ov7670-fix-a-wrong-index-potentially-oopsing-the-kernel-from-user-space.patch --- diff --git a/queue-3.10/media-v4l2-fix-vidioc_create_bufs-in-64-32-bit-compatibility-mode.patch b/queue-3.10/media-v4l2-fix-vidioc_create_bufs-in-64-32-bit-compatibility-mode.patch new file mode 100644 index 00000000000..723dd64fc8c --- /dev/null +++ b/queue-3.10/media-v4l2-fix-vidioc_create_bufs-in-64-32-bit-compatibility-mode.patch @@ -0,0 +1,68 @@ +From 97d9d23dda6f37d90aefeec4ed619d52df525382 Mon Sep 17 00:00:00 2001 +From: Guennadi Liakhovetski +Date: Sat, 26 Apr 2014 12:51:31 -0300 +Subject: media: V4L2: fix VIDIOC_CREATE_BUFS in 64- / 32-bit compatibility mode + +From: Guennadi Liakhovetski + +commit 97d9d23dda6f37d90aefeec4ed619d52df525382 upstream. + +If a struct contains 64-bit fields, it is aligned on 64-bit boundaries +within containing structs in 64-bit compilations. This is the case with +struct v4l2_window, which contains pointers and is embedded into struct +v4l2_format, and that one is embedded into struct v4l2_create_buffers. +Unlike some other structs, used as a part of the kernel ABI as ioctl() +arguments, that are packed, these structs aren't packed. This isn't a +problem per se, but the ioctl-compat code for VIDIOC_CREATE_BUFS contains +a bug, that triggers in such 64-bit builds. That code wrongly assumes, +that in struct v4l2_create_buffers, struct v4l2_format immediately follows +the __u32 memory field, which in fact isn't the case. This bug wasn't +visible until now, because until recently hardly any applications used +this ioctl() and mostly embedded 32-bit only drivers implemented it. This +is changing now with addition of this ioctl() to some USB drivers, e.g. +UVC. This patch fixes the bug by copying parts of struct +v4l2_create_buffers separately. + +Signed-off-by: Guennadi Liakhovetski +Acked-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -178,6 +178,9 @@ struct v4l2_create_buffers32 { + + static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) + { ++ if (get_user(kp->type, &up->type)) ++ return -EFAULT; ++ + switch (kp->type) { + case V4L2_BUF_TYPE_VIDEO_CAPTURE: + case V4L2_BUF_TYPE_VIDEO_OUTPUT: +@@ -204,17 +207,16 @@ static int __get_v4l2_format32(struct v4 + + static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) + { +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32)) || +- get_user(kp->type, &up->type)) +- return -EFAULT; ++ if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32))) ++ return -EFAULT; + return __get_v4l2_format32(kp, up); + } + + static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) + { + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_create_buffers32)) || +- copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format.fmt))) +- return -EFAULT; ++ copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format))) ++ return -EFAULT; + return __get_v4l2_format32(&kp->format, &up->format); + } + diff --git a/queue-3.10/media-v4l2-ov7670-fix-a-wrong-index-potentially-oopsing-the-kernel-from-user-space.patch b/queue-3.10/media-v4l2-ov7670-fix-a-wrong-index-potentially-oopsing-the-kernel-from-user-space.patch new file mode 100644 index 00000000000..3a48939e511 --- /dev/null +++ b/queue-3.10/media-v4l2-ov7670-fix-a-wrong-index-potentially-oopsing-the-kernel-from-user-space.patch @@ -0,0 +1,36 @@ +From cfece5857ca51d1dcdb157017aba226f594e9dcf Mon Sep 17 00:00:00 2001 +From: Guennadi Liakhovetski +Date: Mon, 14 Apr 2014 10:49:34 -0300 +Subject: media: V4L2: ov7670: fix a wrong index, potentially Oopsing the kernel from user-space + +From: Guennadi Liakhovetski + +commit cfece5857ca51d1dcdb157017aba226f594e9dcf upstream. + +Commit 75e2bdad8901a0b599e01a96229be922eef1e488 "ov7670: allow +configuration of image size, clock speed, and I/O method" uses a wrong +index to iterate an array. Apart from being wrong, it also uses an +unchecked value from user-space, which can cause access to unmapped +memory in the kernel, triggered by a normal desktop user with rights to +use V4L2 devices. + +Signed-off-by: Guennadi Liakhovetski +Acked-by: Jonathan Corbet +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/ov7670.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/ov7670.c ++++ b/drivers/media/i2c/ov7670.c +@@ -1110,7 +1110,7 @@ static int ov7670_enum_framesizes(struct + * windows that fall outside that. + */ + for (i = 0; i < n_win_sizes; i++) { +- struct ov7670_win_size *win = &info->devtype->win_sizes[index]; ++ struct ov7670_win_size *win = &info->devtype->win_sizes[i]; + if (info->min_width && win->width < info->min_width) + continue; + if (info->min_height && win->height < info->min_height) diff --git a/queue-3.10/series b/queue-3.10/series index b5527520e57..6552d70145f 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -99,3 +99,5 @@ powerpc-fix-64-bit-builds-with-binutils-2.24.patch libceph-fix-corruption-when-using-page_count-0-page-in-rbd.patch iommu-amd-fix-interrupt-remapping-for-aliased-devices.patch media-fc2580-fix-tuning-failure-on-32-bit-arch.patch +media-v4l2-ov7670-fix-a-wrong-index-potentially-oopsing-the-kernel-from-user-space.patch +media-v4l2-fix-vidioc_create_bufs-in-64-32-bit-compatibility-mode.patch