• Prabhakar Lad's avatar
    media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl · 41f164dd
    Prabhakar Lad authored
    [ Upstream commit da05d52d ]
    
    this patch makes sure VPFE_CMD_S_CCDC_RAW_PARAMS ioctl no longer works
    for vpfe_capture driver with a minimal patch suitable for backporting.
    
    - This ioctl was never in public api and was only defined in kernel header.
    - The function set_params constantly mixes up pointers and phys_addr_t
      numbers.
    - This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is
      described as an 'experimental ioctl that will change in future kernels'.
    - The code to allocate the table never gets called after we copy_from_user
      the user input over the kernel settings, and then compare them
      for inequality.
    - We then go on to use an address provided by user space as both the
      __user pointer for input and pass it through phys_to_virt to come up
      with a kernel pointer to copy the data to. This looks like a trivially
      exploitable root hole.
    
    Due to these reasons we make sure this ioctl now returns -EINVAL and backport
    this patch as far as possible.
    
    Fixes: 5f15fbb6 ("V4L/DVB (12251): v4l: dm644x ccdc module for vpfe capture driver")
    Signed-off-by: default avatarLad, Prabhakar <prabhakar.csengg@gmail.com>
    Cc: <stable@vger.kernel.org>      # for v3.7 and up
    Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
    Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
    Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
    41f164dd
vpfe_capture.c 54.5 KB