[PATCH] bcm2835-v4l2: Fix buffer overflow problem

Dave Stevenson dave.stevenson at raspberrypi.org
Tue Mar 14 08:32:43 PDT 2017


NACK.
Phil asked for a couple of changes, although functionally identical.
I'll send a patch when I get a chance.

Your existing workaround has removed the immediate issue of the
overflow, this was only cleaning things up to actually match the
original API.

  Dave

On 14 March 2017 at 15:10, Michael Zoran <mzoran at crowfest.net> wrote:
> From: Dave Stevenson <dave.stevenson at raspberrypi.org>
>
> https://github.com/raspberrypi/linux/issues/1447
> port_parameter_get() failed to account for the header
> (u32 id and u32 size) in the size before memcpying
> the response into the response buffer, so overrunning
> the provided buffer by 8 bytes.
>
> Account for those bytes, and also a belt-and-braces
> check to ensure we never copy more than *value_size
> bytes into value.
>
> Signed-off-by: Dave Stevenson <dave.stevenson at raspberrypi.org>
> Signed-off-by: Michael Zoran <mzoran at crowfest.net>
> Tested-by: Michael Zoran <mzoran at crowfest.net>
>
> ---
>  drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> index fc1076db0f82..ccb2ee547055 100644
> --- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> +++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> @@ -1445,7 +1445,12 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance,
>         }
>
>         ret = -rmsg->u.port_parameter_get_reply.status;
> -       if (ret || (rmsg->u.port_parameter_get_reply.size > *value_size)) {
> +       /* port_parameter_get_reply.size includes the header,
> +        * whilst *value_size doesn't.
> +        */
> +       rmsg->u.port_parameter_get_reply.size -= (2 * sizeof(u32));
> +
> +       if (ret || rmsg->u.port_parameter_get_reply.size > *value_size) {
>                 /* Copy only as much as we have space for
>                  * but report true size of parameter
>                  */
> --
> 2.11.0
>



More information about the linux-rpi-kernel mailing list