DivestOS/Patches/Linux_CVEs/CVE-2016-6739/3.18/0.patch

63 lines
2.1 KiB
Diff
Raw Normal View History

From c4af572a7ad59c0f07fd316a08055bc86dfb5f0d Mon Sep 17 00:00:00 2001
From: Rajakumar Govindaram <rajakuma@codeaurora.org>
Date: Thu, 15 Sep 2016 17:09:40 -0700
Subject: msm: camera: cpp: Validate frame message before manipulating it.
CPP frame message is used to send all frame data
to Microcontroller. It is sent every frame. CPP kernel
driver has to add information to it before transfer it.
The message has to be validated before manipulations.
If it is not valid the message and corresponding frame
are discarded.
b/30074605
CRs-Fixed: 1049826
Change-Id: I3e11ca7f6df4bb0d928512f81f3e3dc40fed791a
Signed-off-by: Rajakumar Govindaram <rajakuma@codeaurora.org>
---
.../platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 26 ++++++++++------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
index c0105a8..18a465f 100644
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
@@ -2251,21 +2251,19 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
return -EINVAL;
}
- if (!new_frame->partial_frame_indicator) {
- if (cpp_frame_msg[new_frame->msg_len - 1] !=
- MSM_CPP_MSG_ID_TRAILER) {
- pr_err("Invalid frame message\n");
- return -EINVAL;
- }
+ if (cpp_frame_msg[new_frame->msg_len - 1] !=
+ MSM_CPP_MSG_ID_TRAILER) {
+ pr_err("Invalid frame message\n");
+ return -EINVAL;
+ }
- if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
- new_frame->msg_len) {
- pr_err("Invalid frame message,len=%d,expected=%d\n",
- new_frame->msg_len,
- (stripe_base +
- new_frame->num_strips * stripe_size + 1));
- return -EINVAL;
- }
+ if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
+ new_frame->msg_len) {
+ pr_err("Invalid frame message,len=%d,expected=%d\n",
+ new_frame->msg_len,
+ (stripe_base +
+ new_frame->num_strips * stripe_size + 1));
+ return -EINVAL;
}
if (cpp_dev->iommu_state != CPP_IOMMU_STATE_ATTACHED) {
--
cgit v1.1