bcm2835-v4l2: Fix buffer overflow problem

https://github.com/raspberrypi/linux/issues/1447 port_parameter_get() failed to account for the header (u32 id and u32 size) in the size before memcpying the response into the response buffer, so overrunning the provided buffer by 8 bytes. Account for those bytes, and also a belt-and-braces check to ensure we never copy more than *value_size bytes into value. Signed-off-by: N Dave Stevenson <dave.stevenson@raspberrypi.org> Signed-off-by: N Michael Zoran <mzoran@crowfest.net> Tested-by: N Michael Zoran <mzoran@crowfest.net> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>

bcm2835-v4l2: Fix buffer overflow problem
https://github.com/raspberrypi/linux/issues/1447 port_parameter_get() failed to account for the header (u32 id and u32 size) in the size before memcpying the response into the response buffer, so overrunning the provided buffer by 8 bytes. Account for those bytes, and also a belt-and-braces check to ensure we never copy more than *value_size bytes into value. Signed-off-by: N Dave Stevenson <dave.stevenson@raspberrypi.org> Signed-off-by: N Michael Zoran <mzoran@crowfest.net> Tested-by: N Michael Zoran <mzoran@crowfest.net> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>
f7d51372 · Dave Stevenson · Greg Kroah-Hartman · ce95e3a9 · f7d51372
隐藏空白更改
内联并排

Showing with 6 addition and 1 deletion

drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +6 -1

未找到文件。
--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
@@ -1445,7 +1445,12 @@ static int port_parameter_get(struct vchiq_mmal_instance *instance,
 	}

 	ret = -rmsg->u.port_parameter_get_reply.status;
-	if (ret || (rmsg->u.port_parameter_get_reply.size > *value_size)) {
+	/* port_parameter_get_reply.size includes the header,
+	 * whilst *value_size doesn't.
+	 */
+	rmsg->u.port_parameter_get_reply.size -= (2 * sizeof(u32));
+
+	if (ret || rmsg->u.port_parameter_get_reply.size > *value_size) {
 		/* Copy only as much as we have space for
 		 * but report true size of parameter
 		 */