msm: ais: Fix kernel overwrite GET_BUF_BY_IDX ioctl

Assign address of buf_info into ioctl_ptr. Previously we were copying first 8 bytes of buf_info (content) into ioctl_ptr. Which is dereferenced and written later causing kernel overwrite vulnerability. CRs-fixed: 2013631 Change-Id: Ia27dafe003c2c4d7a59dc2976bee2cfc15978403 Signed-off-by: Terence Ho <terenceh@codeaurora.org> Signed-off-by: Andy Sun <bins@codeaurora.org>
author: Terence Ho <terenceh@codeaurora.org> 2017-05-11 11:52:58 -0400
committer: Andy Sun <bins@codeaurora.org> 2017-05-25 12:37:28 +0800
commit: 2cad8aa2f2378e7445ab916e346ec6108e9b437a (patch)
tree: b9f7884b180a6c2ea84931afda707d298a6f70bc /drivers/media
parent: 96e3d4de6da5b613fbc32f1485b2d4ce491eb4cb (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c
index 675bf6b24b03..073b91a6d2d9 100644
--- a/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c
+++ b/drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c
@@ -561,8 +561,8 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
 				sizeof(struct msm_buf_mngr_info))) {
 				return -EFAULT;
 			}
-			MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr,
-				&buf_info, sizeof(void *));
+			k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
+
 			argp = &k_ioctl;
 			rc = msm_cam_buf_mgr_ops(cmd, argp);
 			}
author	Terence Ho <terenceh@codeaurora.org>	2017-05-11 11:52:58 -0400
committer	Andy Sun <bins@codeaurora.org>	2017-05-25 12:37:28 +0800
commit	2cad8aa2f2378e7445ab916e346ec6108e9b437a (patch)
tree	b9f7884b180a6c2ea84931afda707d298a6f70bc /drivers/media
parent	96e3d4de6da5b613fbc32f1485b2d4ce491eb4cb (diff)