Re-apply "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing"
This was reverted upstream in 4.5.5 due to a regression but we have a fix for the regression (probably).
This commit is contained in:
parent
46e3b9492a
commit
1edaa5dd82
|
@ -59,7 +59,6 @@ linux (4.5.5-1) UNRELEASED; urgency=medium
|
|||
- atomic_open(): fix the handling of create_error
|
||||
- qla1280: Don't allocate 512kb of host tags
|
||||
- tools lib traceevent: Do not reassign parg after collapse_tree()
|
||||
- Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing"
|
||||
- [x86] drm/i915: Update CDCLK_FREQ register on BDW after changing cdclk
|
||||
frequency
|
||||
- drm/radeon: fix PLL sharing on DCE6.1 (v2)
|
||||
|
@ -101,6 +100,8 @@ linux (4.5.5-1) UNRELEASED; urgency=medium
|
|||
snd_timer_user_tinterrupt (CVE-2016-4578)
|
||||
* dwc3-exynos: Fix deferred probing storm (Closes: #823552; thanks to
|
||||
Steinar H. Gunderson)
|
||||
* Re-apply "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing",
|
||||
reverted upstream in 4.5.5
|
||||
|
||||
[ Roger Shimizu ]
|
||||
* [armhf] Enable SENSORS_PWM_FAN / PWM_SAMSUNG as module, as recommended by
|
||||
|
|
52
debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
vendored
Normal file
52
debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
vendored
Normal file
|
@ -0,0 +1,52 @@
|
|||
From: Sakari Ailus <sakari.ailus@linux.intel.com>
|
||||
Date: Sun, 3 Apr 2016 16:31:03 -0300
|
||||
Subject: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
|
||||
Origin: https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab
|
||||
|
||||
When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
|
||||
which will be dequeued is not known until the buffer has been removed from
|
||||
the queue. The number of planes is specific to a buffer, not to the queue.
|
||||
|
||||
This does lead to the situation where multi-plane buffers may be requested
|
||||
and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
|
||||
struct with fewer planes.
|
||||
|
||||
__fill_v4l2_buffer() however uses the number of planes from the dequeued
|
||||
videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
|
||||
in video_usercopy() in v4l2-ioctl.c) if the user provided fewer
|
||||
planes than the dequeued buffer had. Oops!
|
||||
|
||||
Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")
|
||||
|
||||
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
|
||||
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
|
||||
Cc: stable@vger.kernel.org # for v4.4 and later
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
---
|
||||
drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/media/v4l2-core/videobuf2-v4l2.c b/drivers/media/v4l2-core/videobuf2-v4l2.c
|
||||
index 91f552124050..8da7470ca364 100644
|
||||
--- a/drivers/media/v4l2-core/videobuf2-v4l2.c
|
||||
+++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
|
||||
@@ -74,6 +74,11 @@ static int __verify_planes_array(struct vb2_buffer *vb, const struct v4l2_buffer
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb)
|
||||
+{
|
||||
+ return __verify_planes_array(vb, pb);
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* __verify_length() - Verify that the bytesused value for each plane fits in
|
||||
* the plane length and that the data offset doesn't exceed the bytesused value.
|
||||
@@ -437,6 +442,7 @@ static int __fill_vb2_buffer(struct vb2_buffer *vb,
|
||||
}
|
||||
|
||||
static const struct vb2_buf_ops v4l2_buf_ops = {
|
||||
+ .verify_planes_array = __verify_planes_array_core,
|
||||
.fill_user_buffer = __fill_v4l2_buffer,
|
||||
.fill_vb2_buffer = __fill_vb2_buffer,
|
||||
.copy_timestamp = __copy_timestamp,
|
|
@ -143,6 +143,7 @@ bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
|
|||
bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
|
||||
bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
|
||||
bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
|
||||
bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
|
||||
|
||||
# ABI maintenance
|
||||
debian/ib-fix-abi-change-in-4.5.3.patch
|
||||
|
|
Loading…
Reference in New Issue