Em Thu, 29 Mar 2018 10:40:23 +0200 Hans Verkuil hverkuil@xs4all.nl escreveu:
Hi Mauro,
On 28/03/18 19:59, Mauro Carvalho Chehab wrote:
At put_v4l2_window32(), it tries to access kp->clips. However, kp points to an userspace pointer. So, it should be obtained via get_user(), otherwise it can OOPS:
<snip>
cc: stable@vger.kernel.org Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c index 5198c9eeb348..4312935f1dfc 100644 --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c @@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user *kp, static int put_v4l2_window32(struct v4l2_window __user *kp, struct v4l2_window32 __user *up) {
- struct v4l2_clip __user *kclips = kp->clips;
- struct v4l2_clip __user *kclips; struct v4l2_clip32 __user *uclips; compat_caddr_t p; u32 clipcount;
@@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user *kp, if (!clipcount) return 0;
- if (get_user(kclips, &kp->clips))
return -EFAULT;Reviewed-by: Hans Verkuil hans.verkuil@cisco.com
I have no idea why I didn't find this when I tested this with v4l2-compliance, but the code was certainly wrong.
I built 4.16-rc4 with KASAN enabled. Perhaps, it won't OOPS without it. Yet, I doubt it would work without this fix.
Thank you for debugging this!
Anytime.
Thanks, Mauro