Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-09-21 03:43:03 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/drivers/media/v4l2-core
History
Daniel Mentz f514ea6147 v4l2: Refactor, fix security bug in compat ioctl32 
The 32-bit compat v4l2 ioctl is implemented based on its 64-bit
equivalent. It converts 32-bit data structures into its 64-bit
equivalents and needs to provide the data to the 64-bit ioctl in user
space memory which is commonly allocated using
compat_alloc_user_space(). However, due to how that function is
implemented, it can only be called a single time for every syscall
invocation.  Supposedly to avoid this limitation, the existing code uses
a mix of memory from the kernel stack and memory allocated through
compat_alloc_user_space(). Under normal circumstances, this would not
work, because the 64-bit ioctl expects all pointers to point to user
space memory. As a workaround, set_fs(KERNEL_DS) is called to
temporarily disable this extra safety check and allow kernel pointers.
However, this might introduce a security vulnerability: The
result of the 32-bit to 64-bit conversion is writeable by user space
because the output buffer has been allocated via
compat_alloc_user_space(). A malicious user space process could then
manipulate pointers inside this output buffer, and due to the previous
set_fs(KERNEL_DS) call, functions like get_user() or put_user() no longer
prevent kernel memory access.

The new approach is to pre-calculate the total amount of user space
memory that is needed, allocate it using compat_alloc_user_space() and
then divide up the allocated memory to accommodate all data structures
that need to be converted.

An alternative approach would have been to retain the union type karg
that they allocated on the kernel stack in do_video_ioctl(), copy all
data from user space into karg and then back to user space. However,
we decided against this approach because it does not align with other
compat syscall implementations. Instead, we tried to replicate the
get_user/put_user pairs as found in other places in the kernel:

if (get_user(clipcount, &up->clipcount) ||
    put_user(clipcount, &kp->clipcount)) return -EFAULT;

BUG: 34624167
Change-Id: Ica92695d8ddf60c0a067ea2f833f22a71710932e
Signed-off-by: Daniel Mentz <danielmentz@google.com>
Reported-by: C0RE Team
2017-12-22 20:26:04 +00:00
..
Kconfig
Makefile
tuner-core.c
v4l2-common.c
v4l2-compat-ioctl32.c v4l2: Refactor, fix security bug in compat ioctl32 2017-12-22 20:26:04 +00:00
v4l2-ctrls.c
v4l2-dev.c
v4l2-device.c
v4l2-event.c
v4l2-fh.c
v4l2-int-device.c
v4l2-ioctl.c
v4l2-mem2mem.c
v4l2-of.c
v4l2-subdev.c
videobuf-core.c
videobuf-dma-contig.c
videobuf-dma-sg.c
videobuf-dvb.c
videobuf-msm-mem.c
videobuf-vmalloc.c
videobuf2-core.c
videobuf2-dma-contig.c media: vb2 dma-contig: Fully cache synchronise buffers in prepare and finish 2016-02-19 14:22:39 -08:00
videobuf2-dma-sg.c
videobuf2-memops.c
videobuf2-vmalloc.c