DivestOS/Patches/Linux_CVEs/CVE-2016-10233/ANY/0001.patch

103 lines
3.0 KiB
Diff
Raw Normal View History

From d793c6d91ecba2a1fd206ad47a4fd408d290addf Mon Sep 17 00:00:00 2001
From: Trilokesh Rangam <tranga@codeaurora.org>
Date: Wed, 23 Nov 2016 09:41:36 +0530
Subject: msm-camera: Addressing possible overflow conditions
Changes to address possible integer overflow and incorrect
array indexing conditions.
Change-Id: Ib134320cd6f7b34d7a10572ec347ec12127049a9
Signed-off-by: Trilokesh Rangam <tranga@codeaurora.org>
---
drivers/media/video/msm/io/msm_camera_io_util.c | 6 +++++
drivers/media/video/msm/msm_mctl_pp.c | 36 ++++++++++++++++++++++---
2 files changed, 38 insertions(+), 4 deletions(-)
diff --git a/drivers/media/video/msm/io/msm_camera_io_util.c b/drivers/media/video/msm/io/msm_camera_io_util.c
index cede05d..1d2a70c 100644
--- a/drivers/media/video/msm/io/msm_camera_io_util.c
+++ b/drivers/media/video/msm/io/msm_camera_io_util.c
@@ -181,6 +181,12 @@ int msm_camera_config_vreg(struct device *dev, struct camera_vreg_t *cam_vreg,
pr_err("%s:%d vreg sequence invalid\n", __func__, __LINE__);
return -EINVAL;
}
+
+ if (cam_vreg == NULL) {
+ pr_err("%s:%d cam_vreg sequence invalid\n", __func__, __LINE__);
+ return -EINVAL;
+ }
+
if (!num_vreg_seq)
num_vreg_seq = num_vreg;
diff --git a/drivers/media/video/msm/msm_mctl_pp.c b/drivers/media/video/msm/msm_mctl_pp.c
index 8f4f004..61321bf 100644
--- a/drivers/media/video/msm/msm_mctl_pp.c
+++ b/drivers/media/video/msm/msm_mctl_pp.c
@@ -36,6 +36,8 @@
#define D(fmt, args...) do {} while (0)
#endif
+#define UINT32_MAX (4294967295U)
+
static int msm_mctl_pp_buf_divert(
struct msm_cam_media_controller *pmctl,
struct msm_cam_v4l2_dev_inst *pcam_inst,
@@ -668,11 +670,24 @@ int msm_mctl_pp_done(
dirty = 1;
}
} else {
- if (frame.num_planes > 1)
+ if (frame.num_planes > 1) {
+ if (frame.mp[0].phy_addr >
+ (UINT32_MAX - frame.mp[0].data_offset)) {
+ pr_err("%s:%d Invalid data offset\n", __func__, __LINE__);
+ return -EINVAL;
+
+ }
buf.ch_paddr[0] = frame.mp[0].phy_addr +
frame.mp[0].data_offset;
- else
+ } else {
+ if (frame.sp.phy_addr >
+ (UINT32_MAX - frame.sp.y_off)) {
+ pr_err("%s:%d Invalid Y offset\n", __func__, __LINE__);
+ return -EINVAL;
+
+ }
buf.ch_paddr[0] = frame.sp.phy_addr + frame.sp.y_off;
+ }
}
spin_unlock_irqrestore(&p_mctl->pp_info.lock, flags);
@@ -713,11 +728,24 @@ int msm_mctl_pp_divert_done(
buf_handle.image_mode = frame.image_type;
}
- if (frame.num_planes > 1)
+ if (frame.num_planes > 1) {
+ if (frame.mp[0].phy_addr >
+ (UINT32_MAX - frame.mp[0].data_offset)) {
+ pr_err("%s:%d Invalid data offset\n", __func__, __LINE__);
+ return -EINVAL;
+
+ }
buf.ch_paddr[0] = frame.mp[0].phy_addr +
frame.mp[0].data_offset;
- else
+ } else {
+ if (frame.sp.phy_addr >
+ (UINT32_MAX - frame.sp.y_off)) {
+ pr_err("%s:%d Invalid Y offset\n", __func__, __LINE__);
+ return -EINVAL;
+
+ }
buf.ch_paddr[0] = frame.sp.phy_addr + frame.sp.y_off;
+ }
spin_unlock_irqrestore(&p_mctl->pp_info.lock, flags);
--
cgit v1.1