[PATCH for 6.1 1/4] vivid: s_fbuf: add more sanity checks

From: Hans Verkuil
Date: Mon Oct 17 2022 - 10:46:45 EST

Next message: Hans Verkuil: "[PATCH for 6.1 2/4] vivid: dev->bitmap_cap wasn't freed in all cases"
Previous message: Hans Verkuil: "[PATCH for 6.1 0/4] vivid crash fixes"
In reply to: Hans Verkuil: "[PATCH for 6.1 0/4] vivid crash fixes"
Next in thread: Hans Verkuil: "[PATCH for 6.1 2/4] vivid: dev->bitmap_cap wasn't freed in all cases"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

VIDIOC_S_FBUF is by definition a scary ioctl, which is why only root
can use it. But at least check if the framebuffer parameters match that
of one of the framebuffer created by vivid, and reject anything else.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
Fixes: ef834f7836ec ([media] vivid: add the video capture and output parts)
---
drivers/media/test-drivers/vivid/vivid-core.c | 22 +++++++++++++++++++
drivers/media/test-drivers/vivid/vivid-core.h | 2 ++
.../media/test-drivers/vivid/vivid-vid-cap.c | 9 +++++++-
3 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/drivers/media/test-drivers/vivid/vivid-core.c b/drivers/media/test-drivers/vivid/vivid-core.c
index 04b75666bad4..61d48fbc3d15 100644
--- a/drivers/media/test-drivers/vivid/vivid-core.c
+++ b/drivers/media/test-drivers/vivid/vivid-core.c
@@ -339,6 +339,28 @@ static int vidioc_g_fbuf(struct file *file, void *fh, struct v4l2_framebuffer *a
return vivid_vid_out_g_fbuf(file, fh, a);
}

+/*
+ * Only support the framebuffer of one of the vivid instances.
+ * Anything else is rejected.
+ */
+bool vivid_validate_fb(const struct v4l2_framebuffer *a)
+{
+ struct vivid_dev *dev;
+ int i;
+
+ for (i = 0; i < n_devs; i++) {
+ dev = vivid_devs[i];
+ if (!dev || !dev->video_pbase)
+ continue;
+ if ((unsigned long)a->base == dev->video_pbase &&
+ a->fmt.width <= dev->display_width &&
+ a->fmt.height <= dev->display_height &&
+ a->fmt.bytesperline <= dev->display_byte_stride)
+ return true;
+ }
+ return false;
+}
+
static int vidioc_s_fbuf(struct file *file, void *fh, const struct v4l2_framebuffer *a)
{
struct video_device *vdev = video_devdata(file);
diff --git a/drivers/media/test-drivers/vivid/vivid-core.h b/drivers/media/test-drivers/vivid/vivid-core.h
index bfcfb3515901..473f3598db5a 100644
--- a/drivers/media/test-drivers/vivid/vivid-core.h
+++ b/drivers/media/test-drivers/vivid/vivid-core.h
@@ -613,4 +613,6 @@ static inline bool vivid_is_hdmi_out(const struct vivid_dev *dev)
return dev->output_type[dev->output] == HDMI;
}

+bool vivid_validate_fb(const struct v4l2_framebuffer *a);
+
#endif
diff --git a/drivers/media/test-drivers/vivid/vivid-vid-cap.c b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
index 86b158eeb2d8..e3e78b5bd227 100644
--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
@@ -1276,7 +1276,14 @@ int vivid_vid_cap_s_fbuf(struct file *file, void *fh,
return -EINVAL;
if (a->fmt.bytesperline < (a->fmt.width * fmt->bit_depth[0]) / 8)
return -EINVAL;
- if (a->fmt.height * a->fmt.bytesperline < a->fmt.sizeimage)
+ if (a->fmt.bytesperline > a->fmt.sizeimage / a->fmt.height)
+ return -EINVAL;
+
+ /*
+ * Only support the framebuffer of one of the vivid instances.
+ * Anything else is rejected.
+ */
+ if (!vivid_validate_fb(a))
return -EINVAL;

dev->fb_vbase_cap = phys_to_virt((unsigned long)a->base);
--
2.35.1

Next message: Hans Verkuil: "[PATCH for 6.1 2/4] vivid: dev->bitmap_cap wasn't freed in all cases"
Previous message: Hans Verkuil: "[PATCH for 6.1 0/4] vivid crash fixes"
In reply to: Hans Verkuil: "[PATCH for 6.1 0/4] vivid crash fixes"
Next in thread: Hans Verkuil: "[PATCH for 6.1 2/4] vivid: dev->bitmap_cap wasn't freed in all cases"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]