63 lines
2.3 KiB
Diff
Raw Normal View History

From eba46cb98431ba1d7a6bd859f26f6ad03f1bf4d4 Mon Sep 17 00:00:00 2001
From: Rajesh Bondugula <rajeshb@codeaurora.org>
Date: Tue, 15 Nov 2016 14:55:35 -0800
Subject: msm: camera: eeprom: Validate the power setting size
Validate the power setting size before copying.
If userspace sends a value which is greater than
MAX_POWER_CONFIG, then the driver accesses unintended memory.
This change will fix the issue.
Crs-Fixed: 1089433
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: Iaaa6f5b3c1c2ac5b5b38b3ac407d6ae394bba780
---
.../msm/camera_v2/sensor/eeprom/msm_eeprom.c | 24 +++++++++-------------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
index 037e8b5..dd2f919 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
@@ -1409,6 +1409,16 @@ static int eeprom_init_config32(struct msm_eeprom_ctrl_t *e_ctrl,
power_info = &(e_ctrl->eboard_info->power_info);
+ if ((power_setting_array32->size > MAX_POWER_CONFIG) ||
+ (power_setting_array32->size_down > MAX_POWER_CONFIG) ||
+ (!power_setting_array32->size) ||
+ (!power_setting_array32->size_down)) {
+ pr_err("%s:%d invalid power setting size=%d size_down=%d\n",
+ __func__, __LINE__, power_setting_array32->size,
+ power_setting_array32->size_down);
+ rc = -EINVAL;
+ goto free_mem;
+ }
msm_eeprom_copy_power_settings_compat(
power_setting_array,
power_setting_array32);
@@ -1423,20 +1433,6 @@ static int eeprom_init_config32(struct msm_eeprom_ctrl_t *e_ctrl,
power_info->power_down_setting_size =
power_setting_array->size_down;
- if ((power_info->power_setting_size >
- MAX_POWER_CONFIG) ||
- (power_info->power_down_setting_size >
- MAX_POWER_CONFIG) ||
- (!power_info->power_down_setting_size) ||
- (!power_info->power_setting_size)) {
- rc = -EINVAL;
- pr_err("%s:%d Invalid power setting size :%d, %d\n",
- __func__, __LINE__,
- power_info->power_setting_size,
- power_info->power_down_setting_size);
- goto free_mem;
- }
-
if (e_ctrl->i2c_client.cci_client) {
e_ctrl->i2c_client.cci_client->i2c_freq_mode =
cdata32->cfg.eeprom_info.i2c_freq_mode;
--
cgit v1.1