From: Mauro Carvalho Chehab <mchehab@redhat.com>
Date: Wed, 13 Oct 2010 16:54:00 -0400
Subject: [media] video: remove compat code for VIDIOCSMICROCODE
Message-id: <4CB5E428.8080809@redhat.com>
Patchwork-id: 4488
O-Subject: [kernel team] [PATCH RHEL 5.6] CVE-2010-2963: Remove compat code
	for VIDIOCSMICROCODE
Bugzilla: 642471
CVE: CVE-2010-2963
RH-Acked-by: Eugene Teo <eugene@redhat.com>
RH-Acked-by: Amerigo Wang <amwang@redhat.com>
RH-Acked-by: Prarit Bhargava <prarit@redhat.com>

VIDIOCSMICROCODE is a way used by a few V4L1 drivers to load a firmware that was made
obsolete by request_firmware().

There only x86 driver that uses it is stradis driver (VIDEO_STRADIS). It is a driver from
kernel 2.2 days, whose the last patch from its author were the conversion to 2.4. The driver
were written back in 1999 and not enabled on RHEL.

The compat code were never tested (as we don't know anyone having one of this board), and, as
a security issue were discovered on it, better to just remove this beast.

BZ#642471

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Jarod Wilson <jarod@redhat.com>

diff --git a/drivers/media/video/compat_ioctl32.c b/drivers/media/video/compat_ioctl32.c
index b69ee11..f567034 100644
--- a/drivers/media/video/compat_ioctl32.c
+++ b/drivers/media/video/compat_ioctl32.c
@@ -494,22 +494,6 @@ static inline int put_v4l2_input(struct v4l2_input *kp, struct v4l2_input __user
 }
 
 #ifdef CONFIG_VIDEO_V4L1_COMPAT
-struct video_code32
-{
-	char		loadwhat[16];	/* name or tag of file being passed */
-	compat_int_t	datasize;
-	unsigned char	*data;
-};
-
-static inline int microcode32(struct video_code *kp, struct video_code32 __user *up)
-{
-	if(!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) ||
-		copy_from_user(kp->loadwhat, up->loadwhat, sizeof (up->loadwhat)) ||
-		get_user(kp->datasize, &up->datasize) ||
-		copy_from_user(kp->data, up->data, up->datasize))
-			return -EFAULT;
-	return 0;
-}
 
 #define VIDIOCGTUNER32		_IOWR('v',4, struct video_tuner32)
 #define VIDIOCSTUNER32		_IOW('v',5, struct video_tuner32)
@@ -519,7 +503,6 @@ static inline int microcode32(struct video_code *kp, struct video_code32 __user
 #define VIDIOCSFBUF32		_IOW('v',12, struct video_buffer32)
 #define VIDIOCGFREQ32		_IOR('v',14, u32)
 #define VIDIOCSFREQ32		_IOW('v',15, u32)
-#define VIDIOCSMICROCODE32	_IOW('v',27, struct video_code32)
 
 #endif
 
@@ -642,7 +625,6 @@ static int do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg
 	case VIDIOCSFBUF32: cmd = VIDIOCSFBUF; break;
 	case VIDIOCGFREQ32: cmd = VIDIOCGFREQ; break;
 	case VIDIOCSFREQ32: cmd = VIDIOCSFREQ; break;
-	case VIDIOCSMICROCODE32: cmd = VIDIOCSMICROCODE; break;
 #endif
 	case VIDIOC_G_FMT32: cmd = VIDIOC_G_FMT; break;
 	case VIDIOC_S_FMT32: cmd = VIDIOC_S_FMT; break;
@@ -739,12 +721,6 @@ static int do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg
 	case VIDIOC_G_FBUF:
 	case VIDIOC_G_INPUT:
 		compatible_arg = 0;
-#ifdef CONFIG_VIDEO_V4L1_COMPAT
-	case VIDIOCSMICROCODE:
-		err = microcode32(&karg.vc, up);
-		compatible_arg = 0;
-		break;
-#endif
 	};
 	if(err)
 		goto out;