[PATCH 11/17] media: atomisp: compat32: use get_user() before referencing user data

Thu, 12 Apr 2018 08:24:49 -0700 

The logic at get_atomisp_parameters32() is broken, as pointed by
smatch:

        
drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c:737:21: 
warning: dereference of noderef expression
        
drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c:744:60: 
warning: dereference of noderef expression
        
drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c:763:21: 
warning: dereference of noderef expression
        
drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c:770:60: 
warning: dereference of noderef expression
        
drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c:788:21: 
warning: dereference of noderef expression
        
drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c:795:60: 
warning: dereference of noderef expression
        
drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c:812:21: 
warning: dereference of noderef expression
        
drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c:819:60: 
warning: dereference of noderef expression

It tries to access userspace data directly, without calling
get_user(). That should generate OOPS. Thankfully, the right
logic is already there (although commented out).

Signed-off-by: Mauro Carvalho Chehab <mche...@s-opensource.com>
---
 .../atomisp/pci/atomisp2/atomisp_compat_ioctl32.c  | 38 ----------------------
 1 file changed, 38 deletions(-)

diff --git 
a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c 
b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c
index 44c21813a06e..d7c0ef1f9584 100644
--- a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c
+++ b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_compat_ioctl32.c
@@ -691,10 +691,8 @@ static int get_atomisp_parameters32(struct 
atomisp_parameters *kp,
                                sizeof(compat_uptr_t);
        unsigned int size, offset = 0;
        void  __user *user_ptr;
-#ifdef ISP2401
        unsigned int stp, mtp, dcp, dscp = 0;
 
-#endif
        if (!access_ok(VERIFY_READ, up, sizeof(struct atomisp_parameters32)))
                        return -EFAULT;
 
@@ -707,15 +705,11 @@ static int get_atomisp_parameters32(struct 
atomisp_parameters *kp,
                n--;
        }
        if (get_user(kp->isp_config_id, &up->isp_config_id) ||
-#ifndef ISP2401
-           get_user(kp->per_frame_setting, &up->per_frame_setting))
-#else
            get_user(kp->per_frame_setting, &up->per_frame_setting) ||
            get_user(stp, &up->shading_table) ||
            get_user(mtp, &up->morph_table) ||
            get_user(dcp, &up->dvs2_coefs) ||
            get_user(dscp, &up->dvs_6axis_config))
-#endif
                return -EFAULT;
 
        {
@@ -733,18 +727,10 @@ static int get_atomisp_parameters32(struct 
atomisp_parameters *kp,
                user_ptr = compat_alloc_user_space(size);
 
                /* handle shading table */
-#ifndef ISP2401
-               if (up->shading_table != 0) {
-#else
                if (stp != 0) {
-#endif
                        if (get_atomisp_shading_table32(&karg.shading_table,
                                (struct atomisp_shading_table32 __user *)
-#ifndef ISP2401
-                                               (uintptr_t)up->shading_table))
-#else
                                                (uintptr_t)stp))
-#endif
                                return -EFAULT;
 
                        kp->shading_table = user_ptr + offset;
@@ -759,18 +745,10 @@ static int get_atomisp_parameters32(struct 
atomisp_parameters *kp,
                }
 
                /* handle morph table */
-#ifndef ISP2401
-               if (up->morph_table != 0) {
-#else
                if (mtp != 0) {
-#endif
                        if (get_atomisp_morph_table32(&karg.morph_table,
                                        (struct atomisp_morph_table32 __user *)
-#ifndef ISP2401
-                                               (uintptr_t)up->morph_table))
-#else
                                                (uintptr_t)mtp))
-#endif
                                return -EFAULT;
 
                        kp->morph_table = user_ptr + offset;
@@ -784,18 +762,10 @@ static int get_atomisp_parameters32(struct 
atomisp_parameters *kp,
                }
 
                /* handle dvs2 coefficients */
-#ifndef ISP2401
-               if (up->dvs2_coefs != 0) {
-#else
                if (dcp != 0) {
-#endif
                        if (get_atomisp_dis_coefficients32(&karg.dvs2_coefs,
                                (struct atomisp_dis_coefficients32 __user *)
-#ifndef ISP2401
-                                               (uintptr_t)up->dvs2_coefs))
-#else
                                                (uintptr_t)dcp))
-#endif
                                return -EFAULT;
 
                        kp->dvs2_coefs = user_ptr + offset;
@@ -808,18 +778,10 @@ static int get_atomisp_parameters32(struct 
atomisp_parameters *kp,
                                return -EFAULT;
                }
                /* handle dvs 6axis configuration */
-#ifndef ISP2401
-               if (up->dvs_6axis_config != 0) {
-#else
                if (dscp != 0) {
-#endif
                        if 
(get_atomisp_dvs_6axis_config32(&karg.dvs_6axis_config,
                                (struct atomisp_dvs_6axis_config32 __user *)
-#ifndef ISP2401
-                                               
(uintptr_t)up->dvs_6axis_config))
-#else
                                                (uintptr_t)dscp))
-#endif
                                return -EFAULT;
 
                        kp->dvs_6axis_config = user_ptr + offset;
-- 
2.14.3

_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Reply via email to