summaryrefslogtreecommitdiff
path: root/drivers/media/platform/sti/hva/hva-h264.c
diff options
context:
space:
mode:
authorPrabhakar Lad <prabhakar.csengg@gmail.com>2017-07-20 15:02:09 +0300
committerMauro Carvalho Chehab <mchehab@s-opensource.com>2017-07-20 22:55:40 +0300
commit6759b019eeacd7de034d4093177f7205abc16d79 (patch)
tree90fbcccb9091659ba208bff8aa9934caad788910 /drivers/media/platform/sti/hva/hva-h264.c
parenta6e2d36bf6b7e2f821ce89dc6e5fb9b4dfe2970c (diff)
downloadlinux-6759b019eeacd7de034d4093177f7205abc16d79.tar.xz
media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl
this patch makes sure VPFE_CMD_S_CCDC_RAW_PARAMS ioctl no longer works for vpfe_capture driver with a minimal patch suitable for backporting. - This ioctl was never in public api and was only defined in kernel header. - The function set_params constantly mixes up pointers and phys_addr_t numbers. - This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is described as an 'experimental ioctl that will change in future kernels'. - The code to allocate the table never gets called after we copy_from_user the user input over the kernel settings, and then compare them for inequality. - We then go on to use an address provided by user space as both the __user pointer for input and pass it through phys_to_virt to come up with a kernel pointer to copy the data to. This looks like a trivially exploitable root hole. Due to these reasons we make sure this ioctl now returns -EINVAL and backport this patch as far as possible. Fixes: 5f15fbb68fd7 ("V4L/DVB (12251): v4l: dm644x ccdc module for vpfe capture driver") Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com> Cc: <stable@vger.kernel.org> # for v3.7 and up Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Diffstat (limited to 'drivers/media/platform/sti/hva/hva-h264.c')
0 files changed, 0 insertions, 0 deletions