Re: [PATCHv2 13/13] v4l2-compat-ioctl32.c: refactor, fix security bug in compat ioctl32

2018-01-30 Thread Hans Verkuil 
On 01/30/18 12:46, Sakari Ailus wrote:
> Hi Hans,
> 
> Thanks for the update. Please see a few additional comments below.
> 
> On Tue, Jan 30, 2018 at 11:27:01AM +0100, Hans Verkuil wrote:
> ...
>> @@ -891,30 +1057,53 @@ static long do_video_ioctl(struct file *file, 
>> unsigned int cmd, unsigned long ar
>>  case VIDIOC_STREAMOFF:
>>  case VIDIOC_S_INPUT:
>>  case VIDIOC_S_OUTPUT:
>> -err = get_user(karg.vi, (s32 __user *)up);
>> +err = alloc_userspace(sizeof(unsigned int), 0, _native);
>> +if (!err && assign_in_user((unsigned int __user *)up_native,
>> +   (compat_uint_t __user *)up))
>> +err = -EFAULT;
>>  compatible_arg = 0;
>>  break;
>>  
>>  case VIDIOC_G_INPUT:
>>  case VIDIOC_G_OUTPUT:
>> +err = alloc_userspace(sizeof(unsigned int), 0,
>> +  _native);
> 
> Fits on a single line.

Changed.

> 
>>  compatible_arg = 0;
>>  break;
>>  
>>  case VIDIOC_G_EDID:
>>  case VIDIOC_S_EDID:
>> -err = get_v4l2_edid32(, up);
>> +err = alloc_userspace(sizeof(struct v4l2_edid), 0, _native);
>> +if (!err)
>> +err = get_v4l2_edid32(up_native, up);
>>  compatible_arg = 0;
>>  break;
>>  
>>  case VIDIOC_G_FMT:
>>  case VIDIOC_S_FMT:
>>  case VIDIOC_TRY_FMT:
>> -err = get_v4l2_format32(, up);
>> +err = bufsize_v4l2_format(up, _space);
>> +if (!err)
>> +err = alloc_userspace(sizeof(struct v4l2_format),
>> +  aux_space, _native);
>> +if (!err) {
>> +aux_buf = up_native + sizeof(struct v4l2_format);
>> +err = get_v4l2_format32(up_native, up,
>> +aux_buf, aux_space);
>> +}
>>  compatible_arg = 0;
>>  break;
>>  
>>  case VIDIOC_CREATE_BUFS:
>> -err = get_v4l2_create32(, up);
>> +err = bufsize_v4l2_create(up, _space);
>> +if (!err)
>> +err = alloc_userspace(sizeof(struct 
>> v4l2_create_buffers),
>> +aux_space, _native);
>> +if (!err) {
>> +aux_buf = up_native + sizeof(struct 
>> v4l2_create_buffers);
> 
> A few lines over 80 characters. It's not a lot but I see no reason to avoid
> wrapping them either.

I'm not changing this. It looks really ugly if I split it up.

> 
>> +err = get_v4l2_create32(up_native, up,
>> +aux_buf, aux_space);
>> +}
>>  compatible_arg = 0;
>>  break;
>>  
> 
> The above can be addressed later, right now this isn't a priority.
> 
> Acked-by: Sakari Ailus 
> 

Thanks!

Hans

Re: [PATCHv2 13/13] v4l2-compat-ioctl32.c: refactor, fix security bug in compat ioctl32

2018-01-30 Thread Sakari Ailus 
Hi Hans,

Thanks for the update. Please see a few additional comments below.

On Tue, Jan 30, 2018 at 11:27:01AM +0100, Hans Verkuil wrote:
...
> @@ -891,30 +1057,53 @@ static long do_video_ioctl(struct file *file, unsigned 
> int cmd, unsigned long ar
>   case VIDIOC_STREAMOFF:
>   case VIDIOC_S_INPUT:
>   case VIDIOC_S_OUTPUT:
> - err = get_user(karg.vi, (s32 __user *)up);
> + err = alloc_userspace(sizeof(unsigned int), 0, _native);
> + if (!err && assign_in_user((unsigned int __user *)up_native,
> +(compat_uint_t __user *)up))
> + err = -EFAULT;
>   compatible_arg = 0;
>   break;
>  
>   case VIDIOC_G_INPUT:
>   case VIDIOC_G_OUTPUT:
> + err = alloc_userspace(sizeof(unsigned int), 0,
> +   _native);

Fits on a single line.

>   compatible_arg = 0;
>   break;
>  
>   case VIDIOC_G_EDID:
>   case VIDIOC_S_EDID:
> - err = get_v4l2_edid32(, up);
> + err = alloc_userspace(sizeof(struct v4l2_edid), 0, _native);
> + if (!err)
> + err = get_v4l2_edid32(up_native, up);
>   compatible_arg = 0;
>   break;
>  
>   case VIDIOC_G_FMT:
>   case VIDIOC_S_FMT:
>   case VIDIOC_TRY_FMT:
> - err = get_v4l2_format32(, up);
> + err = bufsize_v4l2_format(up, _space);
> + if (!err)
> + err = alloc_userspace(sizeof(struct v4l2_format),
> +   aux_space, _native);
> + if (!err) {
> + aux_buf = up_native + sizeof(struct v4l2_format);
> + err = get_v4l2_format32(up_native, up,
> + aux_buf, aux_space);
> + }
>   compatible_arg = 0;
>   break;
>  
>   case VIDIOC_CREATE_BUFS:
> - err = get_v4l2_create32(, up);
> + err = bufsize_v4l2_create(up, _space);
> + if (!err)
> + err = alloc_userspace(sizeof(struct 
> v4l2_create_buffers),
> + aux_space, _native);
> + if (!err) {
> + aux_buf = up_native + sizeof(struct 
> v4l2_create_buffers);

A few lines over 80 characters. It's not a lot but I see no reason to avoid
wrapping them either.

> + err = get_v4l2_create32(up_native, up,
> + aux_buf, aux_space);
> + }
>   compatible_arg = 0;
>   break;
>  

The above can be addressed later, right now this isn't a priority.

Acked-by: Sakari Ailus 

-- 
Sakari Ailus
e-mail: sakari.ai...@iki.fi