DivestOS/Patches/Linux_CVEs/CVE-2014-9882/0.patch

From 3a4ebaac557a9e3fbcbab4561650abac8298a4d9 Mon Sep 17 00:00:00 2001
From: Satish Kodishala <skodisha@codeaurora.org>
Date: Thu, 10 Oct 2013 15:44:11 +0530
Subject: radio: iris: Checking if driver's buffer is large enough.

Checking if driver's buffer is large enough to copy
the data from user space.

Change-Id: I7b4eed81cf77ce2973669ce18ccd95a5df397d82
CRs-fixed: 552329
Signed-off-by: Satish Kodishala <skodisha@codeaurora.org>
---
 drivers/media/radio/radio-iris.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/drivers/media/radio/radio-iris.c b/drivers/media/radio/radio-iris.c
index 5e056be..a9e25bd 100644
--- a/drivers/media/radio/radio-iris.c
+++ b/drivers/media/radio/radio-iris.c
@@ -3472,13 +3472,26 @@ static int iris_vidioc_s_ctrl(struct file *file, void *priv,
 		radio->riva_data_req.cmd_params.start_addr = ctrl->value;
 		break;
 	case V4L2_CID_PRIVATE_IRIS_RIVA_ACCS_LEN:
-		radio->riva_data_req.cmd_params.length = ctrl->value;
+		if ((ctrl->value > 0) &&
+			(ctrl->value <= MAX_RIVA_PEEK_RSP_SIZE)) {
+			radio->riva_data_req.cmd_params.length = ctrl->value;
+		} else {
+			FMDERR("Length %d is more than the buffer size %d\n",
+			ctrl->value, MAX_RIVA_PEEK_RSP_SIZE);
+			retval = -EINVAL;
+		}
 		break;
 	case V4L2_CID_PRIVATE_IRIS_RIVA_POKE:
-		memcpy(radio->riva_data_req.data, (void *)ctrl->value,
-					radio->riva_data_req.cmd_params.length);
-		radio->riva_data_req.cmd_params.subopcode = RIVA_POKE_OPCODE;
-		retval = hci_poke_data(&radio->riva_data_req , radio->fm_hdev);
+		if (radio->riva_data_req.cmd_params.length <= MAX_RIVA_PEEK_RSP_SIZE) {
+			memcpy(radio->riva_data_req.data, (void *)ctrl->value,
+						radio->riva_data_req.cmd_params.length);
+			radio->riva_data_req.cmd_params.subopcode = RIVA_POKE_OPCODE;
+			retval = hci_poke_data(&radio->riva_data_req , radio->fm_hdev);
+		} else {
+			FMDERR("Can not copy into driver's buffer. Length %d is more than"
+			 "the buffer size %d\n", ctrl->value, MAX_RIVA_PEEK_RSP_SIZE);
+			retval = -EINVAL;
+		}
 		break;
 	case V4L2_CID_PRIVATE_IRIS_SSBI_ACCS_ADDR:
 		radio->ssbi_data_accs.start_addr = ctrl->value;
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 3a4ebaac557a9e3fbcbab4561650abac8298a4d9 Mon Sep 17 00:00:00 2001`
			`From: Satish Kodishala <skodisha@codeaurora.org>`
			`Date: Thu, 10 Oct 2013 15:44:11 +0530`
			`Subject: radio: iris: Checking if driver's buffer is large enough.`

			`Checking if driver's buffer is large enough to copy`
			`the data from user space.`

			`Change-Id: I7b4eed81cf77ce2973669ce18ccd95a5df397d82`
			`CRs-fixed: 552329`
			`Signed-off-by: Satish Kodishala <skodisha@codeaurora.org>`
			`---`
			`drivers/media/radio/radio-iris.c \| 23 ++++++++++++++++++-----`
			`1 file changed, 18 insertions(+), 5 deletions(-)`

			`diff --git a/drivers/media/radio/radio-iris.c b/drivers/media/radio/radio-iris.c`
			`index 5e056be..a9e25bd 100644`
			`--- a/drivers/media/radio/radio-iris.c`
			`+++ b/drivers/media/radio/radio-iris.c`
			`@@ -3472,13 +3472,26 @@ static int iris_vidioc_s_ctrl(struct file file, void priv,`
			`radio->riva_data_req.cmd_params.start_addr = ctrl->value;`
			`break;`
			`case V4L2_CID_PRIVATE_IRIS_RIVA_ACCS_LEN:`
			`- radio->riva_data_req.cmd_params.length = ctrl->value;`
			`+ if ((ctrl->value > 0) &&`
			`+ (ctrl->value <= MAX_RIVA_PEEK_RSP_SIZE)) {`
			`+ radio->riva_data_req.cmd_params.length = ctrl->value;`
			`+ } else {`
			`+ FMDERR("Length %d is more than the buffer size %d\n",`
			`+ ctrl->value, MAX_RIVA_PEEK_RSP_SIZE);`
			`+ retval = -EINVAL;`
			`+ }`
			`break;`
			`case V4L2_CID_PRIVATE_IRIS_RIVA_POKE:`
			`- memcpy(radio->riva_data_req.data, (void *)ctrl->value,`
			`- radio->riva_data_req.cmd_params.length);`
			`- radio->riva_data_req.cmd_params.subopcode = RIVA_POKE_OPCODE;`
			`- retval = hci_poke_data(&radio->riva_data_req , radio->fm_hdev);`
			`+ if (radio->riva_data_req.cmd_params.length <= MAX_RIVA_PEEK_RSP_SIZE) {`
			`+ memcpy(radio->riva_data_req.data, (void *)ctrl->value,`
			`+ radio->riva_data_req.cmd_params.length);`
			`+ radio->riva_data_req.cmd_params.subopcode = RIVA_POKE_OPCODE;`
			`+ retval = hci_poke_data(&radio->riva_data_req , radio->fm_hdev);`
			`+ } else {`
			`+ FMDERR("Can not copy into driver's buffer. Length %d is more than"`
			`+ "the buffer size %d\n", ctrl->value, MAX_RIVA_PEEK_RSP_SIZE);`
			`+ retval = -EINVAL;`
			`+ }`
			`break;`
			`case V4L2_CID_PRIVATE_IRIS_SSBI_ACCS_ADDR:`
			`radio->ssbi_data_accs.start_addr = ctrl->value;`
			`--`
			`cgit v1.1`