Hi Sakari, On Tuesday 08 December 2015 17:29:16 Sakari Ailus wrote: > On Mon, Dec 07, 2015 at 10:45:39AM +0200, Laurent Pinchart wrote: > > From: Gjorgji Rosikopulos <[email protected]> > > > > Buffer length is needed for single plane as well, otherwise > > is uninitialized and behaviour is undetermined. > > How about: > > The v4l2_buffer length field must be passed as well from user to kernel and > back, otherwise uninitialised values will be used. > > > Signed-off-by: Gjorgji Rosikopulos <[email protected]> > > Signed-off-by: Laurent Pinchart <[email protected]> > > Acked-by: Sakari Ailus <[email protected]> > > Shouldn't this be submitted to stable as well?
I'll CC stable. > > --- > > > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 7 +++++-- > > 1 file changed, 5 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c index > > 8fd84a67478a..b0faa1f7e3a9 100644 > > --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > @@ -482,8 +482,10 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, > > struct v4l2_buffer32 __user> > > return -EFAULT; > > > > break; > > > > case V4L2_MEMORY_DMABUF: > > - if (get_user(kp->m.fd, &up->m.fd)) > > + if (get_user(kp->m.fd, &up->m.fd) || > > + get_user(kp->length, &up->length)) > > > > return -EFAULT; > > > > + > > > > break; > > > > } > > > > } > > > > @@ -550,7 +552,8 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, > > struct v4l2_buffer32 __user> > > return -EFAULT; > > > > break; > > > > case V4L2_MEMORY_DMABUF: > > - if (put_user(kp->m.fd, &up->m.fd)) > > + if (put_user(kp->m.fd, &up->m.fd) || > > + put_user(kp->length, &up->length)) > > > > return -EFAULT; > > > > break; > > > > } -- Regards, Laurent Pinchart -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
