Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-04 18:13:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

media: v4l2-core: only zero-out ioctl-read buffers

Browse Source 
The memset() got moved out of the check for _IOC_NONE, so passing a
made-up command number with a size but no direction would allow clearing
data on user-provided pointers.

Move video_get_user() back into the _IOC_NONE check where it belongs.

Reported-by: syzbot+54fd8cca4b7226c94b8e@syzkaller.appspotmail.com
Fixes: 6c625c01c7a6 ("media: v4l2-core: split out data copy from video_usercopy")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
This commit is contained in:
Arnd Bergmann 2020-01-08 11:00:00 +01:00 committed by Mauro Carvalho Chehab
parent e4b9b6454d
commit 1dc8b65c94
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/media/v4l2-core/v4l2-ioctl.c
View File

@ -3205,12 +3205,12 @@ video_usercopy(struct file *file, unsigned int orig_cmd, unsigned long arg,
parg = mbuf;
}
err = video_get_user((void __user *)arg, parg, orig_cmd,
&always_copy);
if (err)
goto out;
}
err = video_get_user((void __user *)arg, parg, orig_cmd, &always_copy);
if (err)
goto out;
err = check_array_args(cmd, parg, &array_size, &user_ptr, &kernel_ptr);
if (err < 0)
goto out;