media: vivid: s_fbuf: add more sanity checks

stable inclusion from stable-v5.10.153 commit 1cf51d51581c1e0a876623e0a89d10029fc8cdc4 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I64YCA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1cf51d51581c1e0a876623e0a89d10029fc8cdc4 -------------------------------- [ Upstream commit f8bcaf71 ] VIDIOC_S_FBUF is by definition a scary ioctl, which is why only root can use it. But at least check if the framebuffer parameters match that of one of the framebuffer created by vivid, and reject anything else. Signed-off-by: N Hans Verkuil <hverkuil-cisco@xs4all.nl> Fixes: ef834f78 ([media] vivid: add the video capture and output parts) Signed-off-by: N Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Lipeng Sang <sanglipeng1@jd.com>

media: vivid: s_fbuf: add more sanity checks
stable inclusion from stable-v5.10.153 commit 1cf51d51581c1e0a876623e0a89d10029fc8cdc4 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I64YCA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1cf51d51581c1e0a876623e0a89d10029fc8cdc4 -------------------------------- [ Upstream commit f8bcaf71 ] VIDIOC_S_FBUF is by definition a scary ioctl, which is why only root can use it. But at least check if the framebuffer parameters match that of one of the framebuffer created by vivid, and reject anything else. Signed-off-by: N Hans Verkuil <hverkuil-cisco@xs4all.nl> Fixes: ef834f78 ([media] vivid: add the video capture and output parts) Signed-off-by: N Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Lipeng Sang <sanglipeng1@jd.com>
a388caac · Hans Verkuil · Lipeng Sang · cdf8cabf · a388caac · a388caac
3 changed file
--- a/drivers/media/test-drivers/vivid/vivid-core.c
+++ b/drivers/media/test-drivers/vivid/vivid-core.c
@@ -330,6 +330,28 @@ static int vidioc_g_fbuf(struct file *file, void *fh, struct v4l2_framebuffer *a
 	return vivid_vid_out_g_fbuf(file, fh, a);
 }
+/*
+ * Only support the framebuffer of one of the vivid instances.
+ * Anything else is rejected.
+ */
+bool vivid_validate_fb(const struct v4l2_framebuffer *a)
+{
+	struct vivid_dev *dev;
+	int i;
+	for (i = 0; i < n_devs; i++) {
+		dev = vivid_devs[i];
+		if (!dev || !dev->video_pbase)
+			continue;
+		if ((unsigned long)a->base == dev->video_pbase &&
+		    a->fmt.width <= dev->display_width &&
+		    a->fmt.height <= dev->display_height &&
+		    a->fmt.bytesperline <= dev->display_byte_stride)
+			return true;
+	}
+	return false;
+}
 static int vidioc_s_fbuf(struct file *file, void *fh, const struct v4l2_framebuffer *a)
 {
 	struct video_device *vdev = video_devdata(file);

--- a/drivers/media/test-drivers/vivid/vivid-core.h
+++ b/drivers/media/test-drivers/vivid/vivid-core.h
@@ -609,4 +609,6 @@ static inline bool vivid_is_hdmi_out(const struct vivid_dev *dev)
 	return dev->output_type[dev->output] == HDMI;
 }
+bool vivid_validate_fb(const struct v4l2_framebuffer *a);
 #endif
--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
@@ -1277,7 +1277,14 @@ int vivid_vid_cap_s_fbuf(struct file *file, void *fh,
 		return -EINVAL;
 	if (a->fmt.bytesperline < (a->fmt.width * fmt->bit_depth[0]) / 8)
 		return -EINVAL;
-	if (a->fmt.height * a->fmt.bytesperline < a->fmt.sizeimage)
+	if (a->fmt.bytesperline > a->fmt.sizeimage / a->fmt.height)
+		return -EINVAL;
+	/*
+	 * Only support the framebuffer of one of the vivid instances.
+	 * Anything else is rejected.
+	 */
+	if (!vivid_validate_fb(a))
 		return -EINVAL;
 	dev->fb_vbase_cap = phys_to_virt((unsigned long)a->base);