From patchwork Tue Jun 16 13:12:31 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Elder <paul.elder@ideasonboard.com>
X-Patchwork-Id: 4046
Return-Path: <paul.elder@ideasonboard.com>
Received: from perceval.ideasonboard.com (perceval.ideasonboard.com
	[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 0212F61F24
	for <libcamera-devel@lists.libcamera.org>;
	Tue, 16 Jun 2020 15:13:04 +0200 (CEST)
Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key;
	unprotected) header.d=ideasonboard.com
	header.i=@ideasonboard.com
	header.b="WxbsQKe2"; dkim-atps=neutral
Received: from jade.flets-east.jp (unknown
	[IPv6:2400:4051:61:600:2807:bdfa:f6a:8e53])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id 820ABF9;
	Tue, 16 Jun 2020 15:13:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1592313183;
	bh=ixlFXZxogr8vUn3rqaonr1O8urYXVk596ihDKMCdhUM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=WxbsQKe2jRvSkiJIaaJEDpeezOe4asNhgAwvmPgq2Fn8iz+hl3HB5zGRSc9HBfM1e
	bpws8VPiXjHXuca7CQum38jn5hy9fg63PkRapjv9lWFTJRO8Z6LKn2XmUHzGVKvmor
	K/PogF9Qnyhbr5CU7jxRUbDTK/PJcwBQOeyFxKnQ=
From: Paul Elder <paul.elder@ideasonboard.com>
To: libcamera-devel@lists.libcamera.org
Date: Tue, 16 Jun 2020 22:12:31 +0900
Message-Id: <20200616131244.70308-3-paul.elder@ideasonboard.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200616131244.70308-1-paul.elder@ideasonboard.com>
References: <20200616131244.70308-1-paul.elder@ideasonboard.com>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH 02/15] v4l2: v4l2_camera_proxy: Check for
	null arg values in ioctl handlers
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 13:13:04 -0000

The ioctl handlers currently don't check if arg is null, so if it ever
is, it will cause a segfault. Check that arg is null and return -EFAULT
in all vidioc ioctl handlers.

Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
---
 src/v4l2/v4l2_camera_proxy.cpp | 33 +++++++++++++++++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/src/v4l2/v4l2_camera_proxy.cpp b/src/v4l2/v4l2_camera_proxy.cpp
index 594dd13..5b74b53 100644
--- a/src/v4l2/v4l2_camera_proxy.cpp
+++ b/src/v4l2/v4l2_camera_proxy.cpp
@@ -238,6 +238,9 @@ int V4L2CameraProxy::vidioc_querycap(struct v4l2_capability *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_querycap";
 
+	if (arg == nullptr)
+		return -EFAULT;
+
 	*arg = capabilities_;
 
 	return 0;
@@ -247,6 +250,8 @@ int V4L2CameraProxy::vidioc_enum_fmt(int fd, struct v4l2_fmtdesc *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_enum_fmt fd = " << fd;
 
+	if (arg == nullptr)
+		return -EFAULT;
 
 	if (!validateBufferType(arg->type) ||
 	    arg->index >= streamConfig_.formats().pixelformats().size())
@@ -264,6 +269,8 @@ int V4L2CameraProxy::vidioc_g_fmt(int fd, struct v4l2_format *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_g_fmt fd = " << fd;
 
+	if (arg == nullptr)
+		return -EFAULT;
 
 	if (!validateBufferType(arg->type))
 		return -EINVAL;
@@ -303,6 +310,9 @@ int V4L2CameraProxy::vidioc_s_fmt(int fd, struct v4l2_format *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_s_fmt fd = " << fd;
 
+	if (arg == nullptr)
+		return -EFAULT;
+
 	int ret = lock(fd);
 	if (ret < 0)
 		return ret;
@@ -334,6 +344,9 @@ int V4L2CameraProxy::vidioc_try_fmt(int fd, struct v4l2_format *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_try_fmt fd = " << fd;
 
+	if (arg == nullptr)
+		return -EFAULT;
+
 	if (!validateBufferType(arg->type))
 		return -EINVAL;
 
@@ -361,6 +374,8 @@ int V4L2CameraProxy::vidioc_reqbufs(int fd, struct v4l2_requestbuffers *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_reqbufs fd = " << fd;
 
+	if (arg == nullptr)
+		return -EFAULT;
 
 	int ret = lock(fd);
 	if (ret < 0)
@@ -444,6 +459,9 @@ int V4L2CameraProxy::vidioc_querybuf(int fd, struct v4l2_buffer *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_querybuf fd = " << fd;
 
+	if (arg == nullptr)
+		return -EFAULT;
+
 	int ret = lock(fd);
 	if (ret < 0)
 		return ret;
@@ -461,8 +479,10 @@ int V4L2CameraProxy::vidioc_querybuf(int fd, struct v4l2_buffer *arg)
 
 int V4L2CameraProxy::vidioc_qbuf(int fd, struct v4l2_buffer *arg)
 {
-	LOG(V4L2Compat, Debug) << "Servicing vidioc_qbuf, index = "
-			       << arg->index << " fd = " << fd;
+	LOG(V4L2Compat, Debug) << "Servicing vidioc_qbuf fd = " << fd;
+
+	if (arg == nullptr)
+		return -EFAULT;
 
 	int ret = lock(fd);
 	if (ret < 0)
@@ -487,6 +507,9 @@ int V4L2CameraProxy::vidioc_dqbuf(int fd, struct v4l2_buffer *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_dqbuf fd = " << fd;
 
+	if (arg == nullptr)
+		return -EFAULT;
+
 	int ret = lock(fd);
 	if (ret < 0)
 		return ret;
@@ -522,6 +545,9 @@ int V4L2CameraProxy::vidioc_streamon(int fd, int *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_streamon fd = " << fd;
 
+	if (arg == nullptr)
+		return -EFAULT;
+
 	int ret = lock(fd);
 	if (ret < 0)
 		return ret;
@@ -538,6 +564,9 @@ int V4L2CameraProxy::vidioc_streamoff(int fd, int *arg)
 {
 	LOG(V4L2Compat, Debug) << "Servicing vidioc_streamoff fd = " << fd;
 
+	if (arg == nullptr)
+		return -EFAULT;
+
 	int ret = lock(fd);
 	if (ret < 0)
 		return ret;