diff options
author | Terence Ho <terenceh@codeaurora.org> | 2017-05-11 11:52:58 -0400 |
---|---|---|
committer | Andy Sun <bins@codeaurora.org> | 2017-05-25 12:37:28 +0800 |
commit | 2cad8aa2f2378e7445ab916e346ec6108e9b437a (patch) | |
tree | b9f7884b180a6c2ea84931afda707d298a6f70bc /drivers/media | |
parent | 96e3d4de6da5b613fbc32f1485b2d4ce491eb4cb (diff) |
msm: ais: Fix kernel overwrite GET_BUF_BY_IDX ioctl
Assign address of buf_info into ioctl_ptr.
Previously we were copying first 8 bytes of buf_info (content)
into ioctl_ptr. Which is dereferenced and written later causing
kernel overwrite vulnerability.
CRs-fixed: 2013631
Change-Id: Ia27dafe003c2c4d7a59dc2976bee2cfc15978403
Signed-off-by: Terence Ho <terenceh@codeaurora.org>
Signed-off-by: Andy Sun <bins@codeaurora.org>
Diffstat (limited to 'drivers/media')
-rw-r--r-- | drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c index 675bf6b24b03..073b91a6d2d9 100644 --- a/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c +++ b/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c @@ -561,8 +561,8 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, sizeof(struct msm_buf_mngr_info))) { return -EFAULT; } - MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr, - &buf_info, sizeof(void *)); + k_ioctl.ioctl_ptr = (uintptr_t)&buf_info; + argp = &k_ioctl; rc = msm_cam_buf_mgr_ops(cmd, argp); } |