DivestOS/Patches/Linux_CVEs/CVE-2017-0628/4.4/0.patch

57 lines
2.2 KiB
Diff
Raw Normal View History

From 012e37bf91490c5b59ba2ab68a4d214b632b613f Mon Sep 17 00:00:00 2001
From: Rajesh Bondugula <rajeshb@codeaurora.org>
Date: Tue, 8 Nov 2016 11:52:55 -0800
Subject: msm: camera: sensor: Validate i2c_frq_mode in msm_cci_get_clk_rates
i2c_freq_mode in msm_cci_get_clk_rates is populated from userspace.
Validate to make sure it has valid values. If a large number is sent
from userspace to avoid a buffer over read.
Crs-Fixed: 1086833
Change-Id: I237f60dca3e3dbad4e6188bf047cf7ec5163d159
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
---
drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
index b1c2382..f113bdc 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
@@ -115,15 +115,16 @@ static int32_t msm_cci_set_clk_param(struct cci_device *cci_dev,
enum cci_i2c_master_t master = c_ctrl->cci_info->cci_i2c_master;
enum i2c_freq_mode_t i2c_freq_mode = c_ctrl->cci_info->i2c_freq_mode;
- clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
-
if ((i2c_freq_mode >= I2C_MAX_MODES) || (i2c_freq_mode < 0)) {
pr_err("%s:%d invalid i2c_freq_mode = %d",
__func__, __LINE__, i2c_freq_mode);
return -EINVAL;
}
+
if (cci_dev->i2c_freq_mode[master] == i2c_freq_mode)
return 0;
+
+ clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
if (MASTER_0 == master) {
msm_camera_io_w_mb(clk_params->hw_thigh << 16 |
clk_params->hw_tlow,
@@ -1196,6 +1197,13 @@ static uint32_t *msm_cci_get_clk_rates(struct cci_device *cci_dev,
struct msm_cci_clk_params_t *clk_params = NULL;
enum i2c_freq_mode_t i2c_freq_mode = c_ctrl->cci_info->i2c_freq_mode;
struct device_node *of_node = cci_dev->pdev->dev.of_node;
+
+ if ((i2c_freq_mode >= I2C_MAX_MODES) || (i2c_freq_mode < 0)) {
+ pr_err("%s:%d invalid i2c_freq_mode %d\n",
+ __func__, __LINE__, i2c_freq_mode);
+ return NULL;
+ }
+
clk_params = &cci_dev->cci_clk_params[i2c_freq_mode];
cci_clk_src = clk_params->cci_clk_src;
--
cgit v1.1