* [PATCH] media: vb2: add length check for mmap
@ 2013-04-12 3:57 Seung-Woo Kim
2013-04-12 6:03 ` Marek Szyprowski
0 siblings, 1 reply; 4+ messages in thread
From: Seung-Woo Kim @ 2013-04-12 3:57 UTC (permalink / raw)
To: linux-media; +Cc: mchehab, m.szyprowski, pawel, kyungmin.park, sw0312.kim
The length of mmap() can be bigger than length of vb2 buffer, so
it should be checked.
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
---
drivers/media/v4l2-core/videobuf2-core.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
index db1235d..2c6ff2d 100644
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
vb = q->bufs[buffer];
+ if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) {
+ dprintk(1, "Invalid length\n");
+ return -EINVAL;
+ }
+
ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma);
if (ret)
return ret;
--
1.7.4.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] media: vb2: add length check for mmap
2013-04-12 3:57 [PATCH] media: vb2: add length check for mmap Seung-Woo Kim
@ 2013-04-12 6:03 ` Marek Szyprowski
2013-04-16 10:21 ` Laurent Pinchart
2013-04-18 2:53 ` 김승우
0 siblings, 2 replies; 4+ messages in thread
From: Marek Szyprowski @ 2013-04-12 6:03 UTC (permalink / raw)
To: Seung-Woo Kim; +Cc: linux-media, mchehab, pawel, kyungmin.park
On 4/12/2013 5:57 AM, Seung-Woo Kim wrote:
> The length of mmap() can be bigger than length of vb2 buffer, so
> it should be checked.
>
> Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
> ---
> drivers/media/v4l2-core/videobuf2-core.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
> index db1235d..2c6ff2d 100644
> --- a/drivers/media/v4l2-core/videobuf2-core.c
> +++ b/drivers/media/v4l2-core/videobuf2-core.c
> @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
>
> vb = q->bufs[buffer];
>
> + if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) {
> + dprintk(1, "Invalid length\n");
> + return -EINVAL;
> + }
> +
> ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma);
> if (ret)
> return ret;
Best regards
--
Marek Szyprowski
Samsung Poland R&D Center
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] media: vb2: add length check for mmap
2013-04-12 6:03 ` Marek Szyprowski
@ 2013-04-16 10:21 ` Laurent Pinchart
2013-04-18 2:53 ` 김승우
1 sibling, 0 replies; 4+ messages in thread
From: Laurent Pinchart @ 2013-04-16 10:21 UTC (permalink / raw)
To: Marek Szyprowski
Cc: Seung-Woo Kim, linux-media, mchehab, pawel, kyungmin.park
On Friday 12 April 2013 08:03:15 Marek Szyprowski wrote:
> On 4/12/2013 5:57 AM, Seung-Woo Kim wrote:
> > The length of mmap() can be bigger than length of vb2 buffer, so
> > it should be checked.
> >
> > Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
>
> Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
This should be pushed to the stable kernels, as it's a potential security
issue.
> > ---
> >
> > drivers/media/v4l2-core/videobuf2-core.c | 5 +++++
> > 1 files changed, 5 insertions(+), 0 deletions(-)
> >
> > diff --git a/drivers/media/v4l2-core/videobuf2-core.c
> > b/drivers/media/v4l2-core/videobuf2-core.c index db1235d..2c6ff2d 100644
> > --- a/drivers/media/v4l2-core/videobuf2-core.c
> > +++ b/drivers/media/v4l2-core/videobuf2-core.c
> > @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct
> > vm_area_struct *vma)>
> > vb = q->bufs[buffer];
> >
> > + if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) {
> > + dprintk(1, "Invalid length\n");
> > + return -EINVAL;
> > + }
> > +
> >
> > ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma);
> > if (ret)
> >
> > return ret;
--
Regards,
Laurent Pinchart
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] media: vb2: add length check for mmap
2013-04-12 6:03 ` Marek Szyprowski
2013-04-16 10:21 ` Laurent Pinchart
@ 2013-04-18 2:53 ` 김승우
1 sibling, 0 replies; 4+ messages in thread
From: 김승우 @ 2013-04-18 2:53 UTC (permalink / raw)
To: Marek Szyprowski; +Cc: linux-media, mchehab, pawel, kyungmin.park, sw0312.kim
Oops, there is a issue.
vb2-core does not PAGE_ALIGN to length of buffer, but mmap() always do
PAGE_ALIGN to its length.
So non PAGE_ALIGN length of buffer from driver side can not mmaped with
this patch.
On 2013년 04월 12일 15:03, Marek Szyprowski wrote:
>
> On 4/12/2013 5:57 AM, Seung-Woo Kim wrote:
>> The length of mmap() can be bigger than length of vb2 buffer, so
>> it should be checked.
>>
>> Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
>
> Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
>
>> ---
>> drivers/media/v4l2-core/videobuf2-core.c | 5 +++++
>> 1 files changed, 5 insertions(+), 0 deletions(-)
>>
>> diff --git a/drivers/media/v4l2-core/videobuf2-core.c
>> b/drivers/media/v4l2-core/videobuf2-core.c
>> index db1235d..2c6ff2d 100644
>> --- a/drivers/media/v4l2-core/videobuf2-core.c
>> +++ b/drivers/media/v4l2-core/videobuf2-core.c
>> @@ -1886,6 +1886,11 @@ int vb2_mmap(struct vb2_queue *q, struct
>> vm_area_struct *vma)
>> vb = q->bufs[buffer];
>> + if (vb->v4l2_planes[plane].length < (vma->vm_end -
>> vma->vm_start)) {
>> + dprintk(1, "Invalid length\n");
>> + return -EINVAL;
>> + }
>> +
>> ret = call_memop(q, mmap, vb->planes[plane].mem_priv, vma);
>> if (ret)
>> return ret;
>
> Best regards
--
Seung-Woo Kim
Samsung Software R&D Center
--
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-04-18 2:53 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-04-12 3:57 [PATCH] media: vb2: add length check for mmap Seung-Woo Kim
2013-04-12 6:03 ` Marek Szyprowski
2013-04-16 10:21 ` Laurent Pinchart
2013-04-18 2:53 ` 김승우
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.