DivestOS/Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch

37 lines
1.4 KiB
Diff
Raw Normal View History

2017-11-07 17:32:46 -05:00
From 6724296d3f3b2821b83219768c1b9e971e380a9f Mon Sep 17 00:00:00 2001
From: Sriraj Hebbar <srirajh@qti.qualcomm.com>
Date: Fri, 30 Jun 2017 13:14:28 +0530
Subject: msm: camera: isp: Handle array out of bound access
The pointer req_frm is coming from userspace, it may overflow stream_info.
Adding a bound check to prevent the same.
CRs-fixed: 2008683
Change-Id: I8682e09ff2ab7ba490bbbd9e20db978493c5f3e4
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
Signed-off-by: Andy Sun <bins@codeaurora.org>
---
drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
index 373a963..a85ee30 100644
--- a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
+++ b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
@@ -3889,6 +3889,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
case UPDATE_STREAM_REQUEST_FRAMES_VER2: {
struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm =
&update_cmd->req_frm_ver2;
+ if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) {
+ pr_err("%s: Invalid stream handle\n", __func__);
+ rc = -EINVAL;
+ break;
+ }
+
stream_info = &axi_data->stream_info[HANDLE_TO_IDX(
req_frm->stream_handle)];
rc = msm_isp_request_frame(vfe_dev, stream_info,
--
cgit v1.1