linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] media: imx274: fix stack corruption in imx274_read_reg
@ 2018-11-26 16:35 Luca Ceresoli
  2018-11-27  9:01 ` Sakari Ailus
  0 siblings, 1 reply; 2+ messages in thread
From: Luca Ceresoli @ 2018-11-26 16:35 UTC (permalink / raw)
  To: linux-media
  Cc: Luca Ceresoli, Sakari Ailus, Leon Luo, Mauro Carvalho Chehab,
	linux-kernel, stable

imx274_read_reg() takes a u8 pointer ("reg") and casts it to pass it
to regmap_read(), which takes an unsigned int pointer. This results in
a corrupted stack and random crashes.

Fixes: 0985dd306f72 ("media: imx274: V4l2 driver for Sony imx274 CMOS sensor")
Cc: stable@vger.kernel.org # 4.15.x
Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>

---

Notes!

I have no evidence of this bug showing up in the mainline driver. It
appeared on a modified version where imx274_read_reg() is used,
unmodified, in a different way than it does in mainline (passing a
pointer to a single u8 instead of a pointer to an element of a u8
array).

Also the bug is only present in versions v4.15 (where the driver was
added) to v4.19. The offending function is unused since commit
ca017467c78b ("media: imx274: add helper to read multibyte
registers"), merged in v4.20-rc1, thus master is not affected. I'm
sending this bugfix patch anyway for easier integration in the stable
branches. Later I plan to send a patch against master to entirely
remove the function. Or somebody might want to use this function
again, so better having a fixed version out anyway.

I'm not 100% sure this qualifies this commit for stable trees.
---
 drivers/media/i2c/imx274.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c
index e1b0395a657f..40c717f13eb8 100644
--- a/drivers/media/i2c/imx274.c
+++ b/drivers/media/i2c/imx274.c
@@ -619,16 +619,19 @@ static int imx274_write_table(struct stimx274 *priv, const struct reg_8 table[])
 
 static inline int imx274_read_reg(struct stimx274 *priv, u16 addr, u8 *val)
 {
+	unsigned int uint_val;
 	int err;
 
-	err = regmap_read(priv->regmap, addr, (unsigned int *)val);
+	err = regmap_read(priv->regmap, addr, &uint_val);
 	if (err)
 		dev_err(&priv->client->dev,
 			"%s : i2c read failed, addr = %x\n", __func__, addr);
 	else
 		dev_dbg(&priv->client->dev,
 			"%s : addr 0x%x, val=0x%x\n", __func__,
-			addr, *val);
+			addr, uint_val);
+
+	*val = uint_val;
 	return err;
 }
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] media: imx274: fix stack corruption in imx274_read_reg
  2018-11-26 16:35 [PATCH] media: imx274: fix stack corruption in imx274_read_reg Luca Ceresoli
@ 2018-11-27  9:01 ` Sakari Ailus
  0 siblings, 0 replies; 2+ messages in thread
From: Sakari Ailus @ 2018-11-27  9:01 UTC (permalink / raw)
  To: Luca Ceresoli
  Cc: linux-media, Sakari Ailus, Leon Luo, Mauro Carvalho Chehab,
	linux-kernel, stable

On Mon, Nov 26, 2018 at 05:35:07PM +0100, Luca Ceresoli wrote:
> imx274_read_reg() takes a u8 pointer ("reg") and casts it to pass it
> to regmap_read(), which takes an unsigned int pointer. This results in
> a corrupted stack and random crashes.
> 
> Fixes: 0985dd306f72 ("media: imx274: V4l2 driver for Sony imx274 CMOS sensor")
> Cc: stable@vger.kernel.org # 4.15.x

Applied, with the following line changed to:

Cc: stable@vger.kernel.org # for 4.15 and up

FYI: if you add Cc: stable tag to the patch, it'll end up to the stable
trees; no need to explicitly add the stable@vger address to the recipients.

> Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
> 
> ---
> 
> Notes!
> 
> I have no evidence of this bug showing up in the mainline driver. It
> appeared on a modified version where imx274_read_reg() is used,
> unmodified, in a different way than it does in mainline (passing a
> pointer to a single u8 instead of a pointer to an element of a u8
> array).
> 
> Also the bug is only present in versions v4.15 (where the driver was
> added) to v4.19. The offending function is unused since commit
> ca017467c78b ("media: imx274: add helper to read multibyte
> registers"), merged in v4.20-rc1, thus master is not affected. I'm
> sending this bugfix patch anyway for easier integration in the stable
> branches. Later I plan to send a patch against master to entirely
> remove the function. Or somebody might want to use this function
> again, so better having a fixed version out anyway.
> 
> I'm not 100% sure this qualifies this commit for stable trees.
> ---
>  drivers/media/i2c/imx274.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c
> index e1b0395a657f..40c717f13eb8 100644
> --- a/drivers/media/i2c/imx274.c
> +++ b/drivers/media/i2c/imx274.c
> @@ -619,16 +619,19 @@ static int imx274_write_table(struct stimx274 *priv, const struct reg_8 table[])
>  
>  static inline int imx274_read_reg(struct stimx274 *priv, u16 addr, u8 *val)
>  {
> +	unsigned int uint_val;
>  	int err;
>  
> -	err = regmap_read(priv->regmap, addr, (unsigned int *)val);
> +	err = regmap_read(priv->regmap, addr, &uint_val);
>  	if (err)
>  		dev_err(&priv->client->dev,
>  			"%s : i2c read failed, addr = %x\n", __func__, addr);
>  	else
>  		dev_dbg(&priv->client->dev,
>  			"%s : addr 0x%x, val=0x%x\n", __func__,
> -			addr, *val);
> +			addr, uint_val);
> +
> +	*val = uint_val;
>  	return err;
>  }
>  
> -- 
> 2.17.1
> 

-- 
Sakari Ailus
e-mail: sakari.ailus@iki.fi

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-11-27  9:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-26 16:35 [PATCH] media: imx274: fix stack corruption in imx274_read_reg Luca Ceresoli
2018-11-27  9:01 ` Sakari Ailus

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).