* [PATCH] [media] atomisp2: Array underflow in atomisp_enum_input()
@ 2017-07-19 9:55 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2017-07-19 9:55 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Greg Kroah-Hartman, Alan Cox, linux-media, devel, kernel-janitors
The problem here is this code from atomisp_enum_input():
581 int index = input->index;
582
583 if (index >= isp->input_cnt)
584 return -EINVAL;
585
586 if (!isp->inputs[index].camera)
587 return -EINVAL;
"input->index" is a u32 which comes from the ioctl. We want negative
values of "index" to be counted as -EINVAL but they aren't. I've fixed
this by changing the type of "isp->input_cnt" to unsigned int.
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h
index d3667132851b..c8e0c4fe3717 100644
--- a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h
+++ b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h
@@ -275,7 +275,7 @@ struct atomisp_device {
*/
struct mutex streamoff_mutex;
- int input_cnt;
+ unsigned int input_cnt;
struct atomisp_input_subdev inputs[ATOM_ISP_MAX_INPUTS];
struct v4l2_subdev *flash;
struct v4l2_subdev *motor;
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] [media] atomisp2: Array underflow in atomisp_enum_input()
@ 2017-07-19 9:55 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2017-07-19 9:55 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Greg Kroah-Hartman, Alan Cox, linux-media, devel, kernel-janitors
The problem here is this code from atomisp_enum_input():
581 int index = input->index;
582
583 if (index >= isp->input_cnt)
584 return -EINVAL;
585
586 if (!isp->inputs[index].camera)
587 return -EINVAL;
"input->index" is a u32 which comes from the ioctl. We want negative
values of "index" to be counted as -EINVAL but they aren't. I've fixed
this by changing the type of "isp->input_cnt" to unsigned int.
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h
index d3667132851b..c8e0c4fe3717 100644
--- a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h
+++ b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_internal.h
@@ -275,7 +275,7 @@ struct atomisp_device {
*/
struct mutex streamoff_mutex;
- int input_cnt;
+ unsigned int input_cnt;
struct atomisp_input_subdev inputs[ATOM_ISP_MAX_INPUTS];
struct v4l2_subdev *flash;
struct v4l2_subdev *motor;
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] [media] atomisp2: array underflow in ap1302_enum_frame_size()
2017-07-19 9:55 ` Dan Carpenter
@ 2017-07-19 9:56 ` Dan Carpenter
-1 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2017-07-19 9:56 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Greg Kroah-Hartman, Alan Cox, linux-media, devel, linux-kernel,
kernel-janitors
The problem is this code from ap1302_enum_frame_size():
738 int index = fse->index;
739
740 mutex_lock(&dev->input_lock);
741 context = ap1302_get_context(sd);
742 if (index >= dev->cntx_res[context].res_num) {
743 mutex_unlock(&dev->input_lock);
744 return -EINVAL;
745 }
746
747 res_table = dev->cntx_res[context].res_table;
748 fse->min_width = res_table[index].width;
"fse->index" is a u32 that come from the user. We want negative values
of "index" to be treated as -EINVAL but they're not so we can read from
before the start of the res_table[] array.
I've fixed this by making "res_num" a u32. I made "cur_res" a u32 as
well, just for consistency.
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/media/atomisp/i2c/ap1302.h b/drivers/staging/media/atomisp/i2c/ap1302.h
index 9341232c580d..4d0b181a9671 100644
--- a/drivers/staging/media/atomisp/i2c/ap1302.h
+++ b/drivers/staging/media/atomisp/i2c/ap1302.h
@@ -158,8 +158,8 @@ struct ap1302_res_struct {
};
struct ap1302_context_res {
- s32 res_num;
- s32 cur_res;
+ u32 res_num;
+ u32 cur_res;
struct ap1302_res_struct *res_table;
};
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] [media] atomisp2: array underflow in ap1302_enum_frame_size()
@ 2017-07-19 9:56 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2017-07-19 9:56 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Greg Kroah-Hartman, Alan Cox, linux-media, devel, linux-kernel,
kernel-janitors
The problem is this code from ap1302_enum_frame_size():
738 int index = fse->index;
739
740 mutex_lock(&dev->input_lock);
741 context = ap1302_get_context(sd);
742 if (index >= dev->cntx_res[context].res_num) {
743 mutex_unlock(&dev->input_lock);
744 return -EINVAL;
745 }
746
747 res_table = dev->cntx_res[context].res_table;
748 fse->min_width = res_table[index].width;
"fse->index" is a u32 that come from the user. We want negative values
of "index" to be treated as -EINVAL but they're not so we can read from
before the start of the res_table[] array.
I've fixed this by making "res_num" a u32. I made "cur_res" a u32 as
well, just for consistency.
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/media/atomisp/i2c/ap1302.h b/drivers/staging/media/atomisp/i2c/ap1302.h
index 9341232c580d..4d0b181a9671 100644
--- a/drivers/staging/media/atomisp/i2c/ap1302.h
+++ b/drivers/staging/media/atomisp/i2c/ap1302.h
@@ -158,8 +158,8 @@ struct ap1302_res_struct {
};
struct ap1302_context_res {
- s32 res_num;
- s32 cur_res;
+ u32 res_num;
+ u32 cur_res;
struct ap1302_res_struct *res_table;
};
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] [media] atomisp2: array underflow in imx_enum_frame_size()
2017-07-19 9:55 ` Dan Carpenter
@ 2017-07-19 9:58 ` Dan Carpenter
-1 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2017-07-19 9:58 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Greg Kroah-Hartman, Alan Cox, linux-media, devel, kernel-janitors
The code looks in imx_enum_frame_size() looks like this:
2066 int index = fse->index;
2067 struct imx_device *dev = to_imx_sensor(sd);
2068
2069 mutex_lock(&dev->input_lock);
2070 if (index >= dev->entries_curr_table) {
2071 mutex_unlock(&dev->input_lock);
2072 return -EINVAL;
2073 }
2074
2075 fse->min_width = dev->curr_res_table[index].width;
"fse->index" is a u32 that comes from the user. We want negative values
of "index" to be -EINVAL so we don't read before the start of the
dev->curr_res_table[] array. I've made "entries_curr_table" unsigned
long to fix this. I thought about making it unsigned int, but because
of struct alignment, it doesn't use more memory either way.
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/media/atomisp/i2c/imx/imx.h b/drivers/staging/media/atomisp/i2c/imx/imx.h
index 36b3f3a5a41f..41b4133ca995 100644
--- a/drivers/staging/media/atomisp/i2c/imx/imx.h
+++ b/drivers/staging/media/atomisp/i2c/imx/imx.h
@@ -480,7 +480,7 @@ struct imx_device {
struct imx_vcm *vcm_driver;
struct imx_otp *otp_driver;
const struct imx_resolution *curr_res_table;
- int entries_curr_table;
+ unsigned long entries_curr_table;
const struct firmware *fw;
struct imx_reg_addr *reg_addr;
const struct imx_reg *param_hold;
diff --git a/drivers/staging/media/atomisp/i2c/ov8858.h b/drivers/staging/media/atomisp/i2c/ov8858.h
index 9be6a0e63861..d3fde200c013 100644
--- a/drivers/staging/media/atomisp/i2c/ov8858.h
+++ b/drivers/staging/media/atomisp/i2c/ov8858.h
@@ -266,7 +266,7 @@ struct ov8858_device {
const struct ov8858_reg *regs;
struct ov8858_vcm *vcm_driver;
const struct ov8858_resolution *curr_res_table;
- int entries_curr_table;
+ unsigned long entries_curr_table;
struct v4l2_ctrl_handler ctrl_handler;
struct v4l2_ctrl *run_mode;
diff --git a/drivers/staging/media/atomisp/i2c/ov8858_btns.h b/drivers/staging/media/atomisp/i2c/ov8858_btns.h
index 09e3cdc1a394..f9a3cf8fbf1a 100644
--- a/drivers/staging/media/atomisp/i2c/ov8858_btns.h
+++ b/drivers/staging/media/atomisp/i2c/ov8858_btns.h
@@ -266,7 +266,7 @@ struct ov8858_device {
const struct ov8858_reg *regs;
struct ov8858_vcm *vcm_driver;
const struct ov8858_resolution *curr_res_table;
- int entries_curr_table;
+ unsigned long entries_curr_table;
struct v4l2_ctrl_handler ctrl_handler;
struct v4l2_ctrl *run_mode;
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] [media] atomisp2: array underflow in imx_enum_frame_size()
@ 2017-07-19 9:58 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2017-07-19 9:58 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Greg Kroah-Hartman, Alan Cox, linux-media, devel, kernel-janitors
The code looks in imx_enum_frame_size() looks like this:
2066 int index = fse->index;
2067 struct imx_device *dev = to_imx_sensor(sd);
2068
2069 mutex_lock(&dev->input_lock);
2070 if (index >= dev->entries_curr_table) {
2071 mutex_unlock(&dev->input_lock);
2072 return -EINVAL;
2073 }
2074
2075 fse->min_width = dev->curr_res_table[index].width;
"fse->index" is a u32 that comes from the user. We want negative values
of "index" to be -EINVAL so we don't read before the start of the
dev->curr_res_table[] array. I've made "entries_curr_table" unsigned
long to fix this. I thought about making it unsigned int, but because
of struct alignment, it doesn't use more memory either way.
Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/media/atomisp/i2c/imx/imx.h b/drivers/staging/media/atomisp/i2c/imx/imx.h
index 36b3f3a5a41f..41b4133ca995 100644
--- a/drivers/staging/media/atomisp/i2c/imx/imx.h
+++ b/drivers/staging/media/atomisp/i2c/imx/imx.h
@@ -480,7 +480,7 @@ struct imx_device {
struct imx_vcm *vcm_driver;
struct imx_otp *otp_driver;
const struct imx_resolution *curr_res_table;
- int entries_curr_table;
+ unsigned long entries_curr_table;
const struct firmware *fw;
struct imx_reg_addr *reg_addr;
const struct imx_reg *param_hold;
diff --git a/drivers/staging/media/atomisp/i2c/ov8858.h b/drivers/staging/media/atomisp/i2c/ov8858.h
index 9be6a0e63861..d3fde200c013 100644
--- a/drivers/staging/media/atomisp/i2c/ov8858.h
+++ b/drivers/staging/media/atomisp/i2c/ov8858.h
@@ -266,7 +266,7 @@ struct ov8858_device {
const struct ov8858_reg *regs;
struct ov8858_vcm *vcm_driver;
const struct ov8858_resolution *curr_res_table;
- int entries_curr_table;
+ unsigned long entries_curr_table;
struct v4l2_ctrl_handler ctrl_handler;
struct v4l2_ctrl *run_mode;
diff --git a/drivers/staging/media/atomisp/i2c/ov8858_btns.h b/drivers/staging/media/atomisp/i2c/ov8858_btns.h
index 09e3cdc1a394..f9a3cf8fbf1a 100644
--- a/drivers/staging/media/atomisp/i2c/ov8858_btns.h
+++ b/drivers/staging/media/atomisp/i2c/ov8858_btns.h
@@ -266,7 +266,7 @@ struct ov8858_device {
const struct ov8858_reg *regs;
struct ov8858_vcm *vcm_driver;
const struct ov8858_resolution *curr_res_table;
- int entries_curr_table;
+ unsigned long entries_curr_table;
struct v4l2_ctrl_handler ctrl_handler;
struct v4l2_ctrl *run_mode;
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-07-19 9:58 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-19 9:55 [PATCH] [media] atomisp2: Array underflow in atomisp_enum_input() Dan Carpenter
2017-07-19 9:55 ` Dan Carpenter
2017-07-19 9:56 [PATCH] [media] atomisp2: array underflow in ap1302_enum_frame_size() Dan Carpenter
2017-07-19 9:56 ` Dan Carpenter
2017-07-19 9:58 [PATCH] [media] atomisp2: array underflow in imx_enum_frame_size() Dan Carpenter
2017-07-19 9:58 ` Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.