[PATCH 2/5] staging: bcm2835-camera: Fix integer underrun in port_parameter_get
Greg KH
gregkh at linuxfoundation.org
Tue Mar 21 00:26:43 PDT 2017
On Fri, Mar 17, 2017 at 02:56:43PM -0700, Michael Zoran wrote:
> Fix port_paremeter_get function blindly subtracts 8 from a reply
> size without checking that the size is at lest 8 bytes. This can
> casue a large buffer to be copied since the size is unsigned.
>
> Add a WARN_ON, and also add min and max conditions to the size
> of the data that is copied.
>
> Signed-off-by: Michael Zoran <mzoran at crowfest.net>
> ---
> .../vc04_services/bcm2835-camera/mmal-vchiq.c | 27 +++++++++++-----------
> 1 file changed, 14 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> index 4f4499dfe0c3..a8768358c557 100644
> --- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> +++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
> @@ -1450,23 +1450,24 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance,
> * port_parameter_get_reply.size includes the header,
> * whilst *value_size doesn't.
> */
> - reply_size = rmsg->u.port_parameter_get_reply.size - (2 * sizeof(u32));
>
> - if (ret || (reply_size > *value_size)) {
> - /* Copy only as much as we have space for
> - * but report true size of parameter
> - */
> - memcpy(value, &rmsg->u.port_parameter_get_reply.value,
> - *value_size);
> - } else
> - memcpy(value, &rmsg->u.port_parameter_get_reply.value,
> - reply_size);
> + if (WARN_ON(rmsg->u.port_parameter_get_reply.size < 8))
> + reply_size = 0;
Can userspace trigger this warning? If so, don't make it a warning,
just check for it and handle it properly.
thanks,
greg k-h
More information about the linux-rpi-kernel
mailing list