[PATCH] bcm2835-v4l2: Fix buffer overflow problem
Michael Zoran
mzoran at crowfest.net
Tue Mar 14 08:10:40 PDT 2017
From: Dave Stevenson <dave.stevenson at raspberrypi.org>
https://github.com/raspberrypi/linux/issues/1447
port_parameter_get() failed to account for the header
(u32 id and u32 size) in the size before memcpying
the response into the response buffer, so overrunning
the provided buffer by 8 bytes.
Account for those bytes, and also a belt-and-braces
check to ensure we never copy more than *value_size
bytes into value.
Signed-off-by: Dave Stevenson <dave.stevenson at raspberrypi.org>
Signed-off-by: Michael Zoran <mzoran at crowfest.net>
Tested-by: Michael Zoran <mzoran at crowfest.net>
---
drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
index fc1076db0f82..ccb2ee547055 100644
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
@@ -1445,7 +1445,12 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance,
}
ret = -rmsg->u.port_parameter_get_reply.status;
- if (ret || (rmsg->u.port_parameter_get_reply.size > *value_size)) {
+ /* port_parameter_get_reply.size includes the header,
+ * whilst *value_size doesn't.
+ */
+ rmsg->u.port_parameter_get_reply.size -= (2 * sizeof(u32));
+
+ if (ret || rmsg->u.port_parameter_get_reply.size > *value_size) {
/* Copy only as much as we have space for
* but report true size of parameter
*/
--
2.11.0
More information about the linux-rpi-kernel
mailing list