[PATCH 2/5] staging: bcm2835-camera: Fix integer underrun in port_parameter_get

Greg KH gregkh at linuxfoundation.org
Tue Mar 21 00:26:43 PDT 2017


On Fri, Mar 17, 2017 at 02:56:43PM -0700, Michael Zoran wrote:
> Fix port_paremeter_get function blindly subtracts 8 from a reply
> size without checking that the size is at lest 8 bytes. This can
> casue a large buffer to be copied since the size is unsigned.
> 
> Add a WARN_ON, and also add min and max conditions to the size
> of the data that is copied.
> 
> Signed-off-by: Michael Zoran <mzoran at crowfest.net>
> ---
>  .../vc04_services/bcm2835-camera/mmal-vchiq.c      | 27 +++++++++++-----------
>  1 file changed, 14 insertions(+), 13 deletions(-)
> 
> diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> index 4f4499dfe0c3..a8768358c557 100644
> --- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> +++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> @@ -1450,23 +1450,24 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance,
>  	 * port_parameter_get_reply.size includes the header,
>  	 * whilst *value_size doesn't.
>  	 */
> -	reply_size = rmsg->u.port_parameter_get_reply.size - (2 * sizeof(u32));
>  
> -	if (ret || (reply_size > *value_size)) {
> -		/* Copy only as much as we have space for
> -		 * but report true size of parameter
> -		 */
> -		memcpy(value, &rmsg->u.port_parameter_get_reply.value,
> -		       *value_size);
> -	} else
> -		memcpy(value, &rmsg->u.port_parameter_get_reply.value,
> -		       reply_size);
> +	if (WARN_ON(rmsg->u.port_parameter_get_reply.size < 8))
> +		reply_size = 0;

Can userspace trigger this warning?  If so, don't make it a warning,
just check for it and handle it properly.

thanks,

greg k-h



More information about the linux-rpi-kernel mailing list