DivestOS/Patches/Linux_CVEs/CVE-2016-3934/ANY/0001.patch

From 27fbeb6b025d5d46ccb0497cbed4c6e78ed1c5cc Mon Sep 17 00:00:00 2001
From: Vasko Kalanoski <vaskok@codeaurora.org>
Date: Tue, 3 Feb 2015 13:17:44 +0200
Subject: msm: camera: restructure data handling to be more robust

add dynamic array allocation instead of static to prevent
stack overflow.

Change-Id: Id12ed5b01809021d2b1d1d71436f2523b575d9de
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
---
 .../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c   | 25 +++++++++++++++-------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
index 4b0bde95..59ad29f 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -138,23 +138,30 @@ int32_t msm_camera_cci_i2c_write_seq(struct msm_camera_i2c_client *client,
 	int32_t rc = -EFAULT;
 	uint8_t i = 0;
 	struct msm_camera_cci_ctrl cci_ctrl;
-	struct msm_camera_i2c_reg_array reg_conf_tbl[num_byte];
+	struct msm_camera_i2c_reg_array *reg_conf_tbl = NULL;
 
 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
 		&& client->addr_type != MSM_CAMERA_I2C_WORD_ADDR)
 		|| num_byte == 0)
 		return rc;
 
-	S_I2C_DBG("%s reg addr = 0x%x num bytes: %d\n",
-			  __func__, addr, num_byte);
-	memset(reg_conf_tbl, 0,
-		num_byte * sizeof(struct msm_camera_i2c_reg_array));
-	reg_conf_tbl[0].reg_addr = addr;
 	if (num_byte > I2C_SEQ_REG_DATA_MAX) {
 		pr_err("%s: num_byte=%d clamped to max supported %d\n",
 			__func__, num_byte, I2C_SEQ_REG_DATA_MAX);
-		num_byte = I2C_SEQ_REG_DATA_MAX;
+		return rc;
 	}
+
+	S_I2C_DBG("%s reg addr = 0x%x num bytes: %d\n",
+		__func__, addr, num_byte);
+
+	reg_conf_tbl = kzalloc(num_byte *
+		(sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);
+	if (!reg_conf_tbl) {
+		pr_err("%s:%d no memory\n", __func__, __LINE__);
+		return -ENOMEM;
+	}
+
+	reg_conf_tbl[0].reg_addr = addr;
 	for (i = 0; i < num_byte; i++) {
 		reg_conf_tbl[i].reg_data = data[i];
 		reg_conf_tbl[i].delay = 0;
@@ -169,6 +176,8 @@ int32_t msm_camera_cci_i2c_write_seq(struct msm_camera_i2c_client *client,
 			core, ioctl, VIDIOC_MSM_CCI_CFG, &cci_ctrl);
 	CDBG("%s line %d rc = %d\n", __func__, __LINE__, rc);
 	rc = cci_ctrl.status;
+	kfree(reg_conf_tbl);
+	reg_conf_tbl = NULL;
 	return rc;
 }
 
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 27fbeb6b025d5d46ccb0497cbed4c6e78ed1c5cc Mon Sep 17 00:00:00 2001`
			`From: Vasko Kalanoski <vaskok@codeaurora.org>`
			`Date: Tue, 3 Feb 2015 13:17:44 +0200`
			`Subject: msm: camera: restructure data handling to be more robust`

			`add dynamic array allocation instead of static to prevent`
			`stack overflow.`

			`Change-Id: Id12ed5b01809021d2b1d1d71436f2523b575d9de`
			`Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>`
			`---`
			`.../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c \| 25 +++++++++++++++-------`
			`1 file changed, 17 insertions(+), 8 deletions(-)`

			`diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c`
			`index 4b0bde95..59ad29f 100644`
			`--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c`
			`+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c`
			`@@ -1,4 +1,4 @@`
			`-/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.`
			`+/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License version 2 and`
			`@@ -138,23 +138,30 @@ int32_t msm_camera_cci_i2c_write_seq(struct msm_camera_i2c_client *client,`
			`int32_t rc = -EFAULT;`
			`uint8_t i = 0;`
			`struct msm_camera_cci_ctrl cci_ctrl;`
			`- struct msm_camera_i2c_reg_array reg_conf_tbl[num_byte];`
			`+ struct msm_camera_i2c_reg_array *reg_conf_tbl = NULL;`

			`if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR`
			`&& client->addr_type != MSM_CAMERA_I2C_WORD_ADDR)`
			`\|\| num_byte == 0)`
			`return rc;`

			`- S_I2C_DBG("%s reg addr = 0x%x num bytes: %d\n",`
			`- __func__, addr, num_byte);`
			`- memset(reg_conf_tbl, 0,`
			`- num_byte * sizeof(struct msm_camera_i2c_reg_array));`
			`- reg_conf_tbl[0].reg_addr = addr;`
			`if (num_byte > I2C_SEQ_REG_DATA_MAX) {`
			`pr_err("%s: num_byte=%d clamped to max supported %d\n",`
			`__func__, num_byte, I2C_SEQ_REG_DATA_MAX);`
			`- num_byte = I2C_SEQ_REG_DATA_MAX;`
			`+ return rc;`
			`}`
			`+`
			`+ S_I2C_DBG("%s reg addr = 0x%x num bytes: %d\n",`
			`+ __func__, addr, num_byte);`
			`+`
			`+ reg_conf_tbl = kzalloc(num_byte *`
			`+ (sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);`
			`+ if (!reg_conf_tbl) {`
			`+ pr_err("%s:%d no memory\n", __func__, __LINE__);`
			`+ return -ENOMEM;`
			`+ }`
			`+`
			`+ reg_conf_tbl[0].reg_addr = addr;`
			`for (i = 0; i < num_byte; i++) {`
			`reg_conf_tbl[i].reg_data = data[i];`
			`reg_conf_tbl[i].delay = 0;`
			`@@ -169,6 +176,8 @@ int32_t msm_camera_cci_i2c_write_seq(struct msm_camera_i2c_client *client,`
			`core, ioctl, VIDIOC_MSM_CCI_CFG, &cci_ctrl);`
			`CDBG("%s line %d rc = %d\n", __func__, __LINE__, rc);`
			`rc = cci_ctrl.status;`
			`+ kfree(reg_conf_tbl);`
			`+ reg_conf_tbl = NULL;`
			`return rc;`
			`}`

			`--`
			`cgit v1.1`