* [PATCH v2] media: videobuf2: Fix integer overrun in vb2_mmap
@ 2021-03-10 7:51 Ricardo Ribalda
2021-06-04 12:04 ` Tomasz Figa
0 siblings, 1 reply; 3+ messages in thread
From: Ricardo Ribalda @ 2021-03-10 7:51 UTC (permalink / raw)
To: Tomasz Figa, Marek Szyprowski, linux-media, linux-kernel, Jiri Slaby
Cc: Ricardo Ribalda, Sergey Senozhatsky, stable
The plane_length is an unsigned integer. So, if we have a size of
0xffffffff bytes we incorrectly allocate 0 bytes instead of 1 << 32.
Suggested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: stable@vger.kernel.org
Fixes: 7f8414594e47 ("[media] media: videobuf2: fix the length check for mmap")
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
---
drivers/media/common/videobuf2/videobuf2-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c
index 543da515c761..89c8bacb94a7 100644
--- a/drivers/media/common/videobuf2/videobuf2-core.c
+++ b/drivers/media/common/videobuf2/videobuf2-core.c
@@ -2256,7 +2256,7 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
* The buffer length was page_aligned at __vb2_buf_mem_alloc(),
* so, we need to do the same here.
*/
- length = PAGE_ALIGN(vb->planes[plane].length);
+ length = PAGE_ALIGN((unsigned long)vb->planes[plane].length);
if (length < (vma->vm_end - vma->vm_start)) {
dprintk(q, 1,
"MMAP invalid, as it would overflow buffer length\n");
--
2.30.1.766.gb4fecdf3b7-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] media: videobuf2: Fix integer overrun in vb2_mmap
2021-03-10 7:51 [PATCH v2] media: videobuf2: Fix integer overrun in vb2_mmap Ricardo Ribalda
@ 2021-06-04 12:04 ` Tomasz Figa
2021-06-06 19:45 ` Ricardo Ribalda Delgado
0 siblings, 1 reply; 3+ messages in thread
From: Tomasz Figa @ 2021-06-04 12:04 UTC (permalink / raw)
To: Ricardo Ribalda
Cc: Marek Szyprowski, linux-media, linux-kernel, Jiri Slaby,
Sergey Senozhatsky, stable
On Wed, Mar 10, 2021 at 08:51:27AM +0100, Ricardo Ribalda wrote:
> The plane_length is an unsigned integer. So, if we have a size of
> 0xffffffff bytes we incorrectly allocate 0 bytes instead of 1 << 32.
>
> Suggested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
> Cc: stable@vger.kernel.org
> Fixes: 7f8414594e47 ("[media] media: videobuf2: fix the length check for mmap")
> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
> ---
> drivers/media/common/videobuf2/videobuf2-core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c
> index 543da515c761..89c8bacb94a7 100644
> --- a/drivers/media/common/videobuf2/videobuf2-core.c
> +++ b/drivers/media/common/videobuf2/videobuf2-core.c
> @@ -2256,7 +2256,7 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
> * The buffer length was page_aligned at __vb2_buf_mem_alloc(),
> * so, we need to do the same here.
> */
> - length = PAGE_ALIGN(vb->planes[plane].length);
> + length = PAGE_ALIGN((unsigned long)vb->planes[plane].length);
> if (length < (vma->vm_end - vma->vm_start)) {
> dprintk(q, 1,
> "MMAP invalid, as it would overflow buffer length\n");
> --
> 2.30.1.766.gb4fecdf3b7-goog
>
Acked-by: Tomasz Figa <tfiga@chromium.org>
Best regards,
Tomasz
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] media: videobuf2: Fix integer overrun in vb2_mmap
2021-06-04 12:04 ` Tomasz Figa
@ 2021-06-06 19:45 ` Ricardo Ribalda Delgado
0 siblings, 0 replies; 3+ messages in thread
From: Ricardo Ribalda Delgado @ 2021-06-06 19:45 UTC (permalink / raw)
To: Tomasz Figa
Cc: Ricardo Ribalda, Marek Szyprowski, linux-media, LKML, Jiri Slaby,
Sergey Senozhatsky, stable
Hi Tomasz
Thanks for your review!
We finally figured out that we would not like to support allocations
of exactly 4GiB. The rest of the code is not designed for it.
And you will get a descriptive enough error if you overrun (at least
in recent kernels):
if (length < (vma->vm_end - vma->vm_start)) {
Best regards!
On Fri, Jun 4, 2021 at 2:06 PM Tomasz Figa <tfiga@chromium.org> wrote:
>
> On Wed, Mar 10, 2021 at 08:51:27AM +0100, Ricardo Ribalda wrote:
> > The plane_length is an unsigned integer. So, if we have a size of
> > 0xffffffff bytes we incorrectly allocate 0 bytes instead of 1 << 32.
> >
> > Suggested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
> > Cc: stable@vger.kernel.org
> > Fixes: 7f8414594e47 ("[media] media: videobuf2: fix the length check for mmap")
> > Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
> > Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
> > ---
> > drivers/media/common/videobuf2/videobuf2-core.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c
> > index 543da515c761..89c8bacb94a7 100644
> > --- a/drivers/media/common/videobuf2/videobuf2-core.c
> > +++ b/drivers/media/common/videobuf2/videobuf2-core.c
> > @@ -2256,7 +2256,7 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
> > * The buffer length was page_aligned at __vb2_buf_mem_alloc(),
> > * so, we need to do the same here.
> > */
> > - length = PAGE_ALIGN(vb->planes[plane].length);
> > + length = PAGE_ALIGN((unsigned long)vb->planes[plane].length);
> > if (length < (vma->vm_end - vma->vm_start)) {
> > dprintk(q, 1,
> > "MMAP invalid, as it would overflow buffer length\n");
> > --
> > 2.30.1.766.gb4fecdf3b7-goog
> >
>
> Acked-by: Tomasz Figa <tfiga@chromium.org>
>
> Best regards,
> Tomasz
--
Ricardo Ribalda
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-06 19:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-10 7:51 [PATCH v2] media: videobuf2: Fix integer overrun in vb2_mmap Ricardo Ribalda
2021-06-04 12:04 ` Tomasz Figa
2021-06-06 19:45 ` Ricardo Ribalda Delgado
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).