DivestOS/Patches/Linux_CVEs/CVE-2014-9879/ANY/0.patch

From ecc8116e1befb3a764109f47ba0389434ddabbe4 Mon Sep 17 00:00:00 2001
From: Terence Hampson <thampson@codeaurora.org>
Date: Wed, 7 Aug 2013 16:54:51 -0400
Subject: mdss: mdp3: validate histogram data passed in

Data passed in from userspace should be validated to be within
the appropriate ranges.

Change-Id: I50ff818a2b03c1fff55f44403f0f1b67c26d9f0e
Signed-off-by: Terence Hampson <thampson@codeaurora.org>
---
 drivers/video/msm/mdss/mdp3_ctrl.c | 77 +++++++++++++++++++++++++++++++++++---
 drivers/video/msm/mdss/mdp3_dma.c  |  2 +-
 drivers/video/msm/mdss/mdp3_dma.h  |  6 +++
 3 files changed, 79 insertions(+), 6 deletions(-)

diff --git a/drivers/video/msm/mdss/mdp3_ctrl.c b/drivers/video/msm/mdss/mdp3_ctrl.c
index 74e6983c..31aae26 100644
--- a/drivers/video/msm/mdss/mdp3_ctrl.c
+++ b/drivers/video/msm/mdss/mdp3_ctrl.c
@@ -775,6 +775,64 @@ static int mdp3_get_metadata(struct msm_fb_data_type *mfd,
 	return ret;
 }
 
+int mdp3_validate_start_req(struct mdp_histogram_start_req *req)
+{
+	if (req->frame_cnt >= MDP_HISTOGRAM_FRAME_COUNT_MAX) {
+		pr_err("%s invalid req frame_cnt\n", __func__);
+		return -EINVAL;
+	}
+	if (req->bit_mask >= MDP_HISTOGRAM_BIT_MASK_MAX) {
+		pr_err("%s invalid req bit mask\n", __func__);
+		return -EINVAL;
+	}
+	if (req->block != MDP_BLOCK_DMA_P ||
+		req->num_bins != MDP_HISTOGRAM_BIN_NUM) {
+		pr_err("mdp3_histogram_start invalid request\n");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+int mdp3_validate_scale_config(struct mdp_bl_scale_data *data)
+{
+	if (data->scale > MDP_HISTOGRAM_BL_SCALE_MAX) {
+		pr_err("%s invalid bl_scale\n", __func__);
+		return -EINVAL;
+	}
+	if (data->min_lvl > MDP_HISTOGRAM_BL_LEVEL_MAX) {
+		pr_err("%s invalid bl_min_lvl\n", __func__);
+		return -EINVAL;
+	}
+	return 0;
+}
+
+int mdp3_validate_csc_data(struct mdp_csc_cfg_data *data)
+{
+	int i;
+	for (i = 0; i < 9; i++) {
+		if (data->csc_data.csc_mv[i] >=
+				MDP_HISTOGRAM_CSC_MATRIX_MAX)
+			return -EINVAL;
+	}
+	for (i = 0; i < 3; i++) {
+		if (data->csc_data.csc_pre_bv[i] >=
+				MDP_HISTOGRAM_CSC_VECTOR_MAX)
+			return -EINVAL;
+		if (data->csc_data.csc_post_bv[i] >=
+				MDP_HISTOGRAM_CSC_VECTOR_MAX)
+			return -EINVAL;
+	}
+	for (i = 0; i < 6; i++) {
+		if (data->csc_data.csc_pre_lv[i] >=
+				MDP_HISTOGRAM_CSC_VECTOR_MAX)
+			return -EINVAL;
+		if (data->csc_data.csc_post_lv[i] >=
+				MDP_HISTOGRAM_CSC_VECTOR_MAX)
+			return -EINVAL;
+	}
+	return 0;
+}
+
 static int mdp3_histogram_start(struct mdp3_session_data *session,
 					struct mdp_histogram_start_req *req)
 {
@@ -782,11 +840,10 @@ static int mdp3_histogram_start(struct mdp3_session_data *session,
 	struct mdp3_dma_histogram_config histo_config;
 
 	pr_debug("mdp3_histogram_start\n");
-	if (req->block != MDP_BLOCK_DMA_P ||
-		req->num_bins != MDP_HISTOGRAM_BIN_NUM) {
-		pr_err("mdp3_histogram_start invalid request\n");
-		return -EINVAL;
-	}
+
+	ret = mdp3_validate_start_req(req);
+	if (ret)
+		return ret;
 
 	if (!session->dma->histo_op ||
 		!session->dma->config_histo) {
@@ -986,10 +1043,20 @@ static int mdp3_pp_ioctl(struct msm_fb_data_type *mfd,
 
 	switch (mdp_pp.op) {
 	case mdp_bl_scale_cfg:
+		ret = mdp3_validate_scale_config(&mdp_pp.data.bl_scale_data);
+		if (ret) {
+			pr_err("%s: invalid scale config\n", __func__);
+			break;
+		}
 		ret = mdp3_bl_scale_config(mfd, (struct mdp_bl_scale_data *)
 						&mdp_pp.data.bl_scale_data);
 		break;
 	case mdp_op_csc_cfg:
+		ret = mdp3_validate_csc_data(&(mdp_pp.data.csc_cfg_data));
+		if (ret) {
+			pr_err("%s: invalid csc data\n", __func__);
+			break;
+		}
 		ret = mdp3_csc_config(mdp3_session,
 						&(mdp_pp.data.csc_cfg_data));
 		break;
diff --git a/drivers/video/msm/mdss/mdp3_dma.c b/drivers/video/msm/mdss/mdp3_dma.c
index 3e1bf5d..d3f1538 100644
--- a/drivers/video/msm/mdss/mdp3_dma.c
+++ b/drivers/video/msm/mdss/mdp3_dma.c
@@ -497,7 +497,7 @@ static int mdp3_dmap_histo_config(struct mdp3_dma *dma,
 			struct mdp3_dma_histogram_config *histo_config)
 {
 	unsigned long flag;
-	u32 histo_bit_mask, histo_control;
+	u32 histo_bit_mask = 0, histo_control = 0;
 	u32 histo_isr_mask = MDP3_DMA_P_HIST_INTR_HIST_DONE_BIT |
 			MDP3_DMA_P_HIST_INTR_RESET_DONE_BIT;
 
diff --git a/drivers/video/msm/mdss/mdp3_dma.h b/drivers/video/msm/mdss/mdp3_dma.h
index e4a28dc..7dd6ba7 100644
--- a/drivers/video/msm/mdss/mdp3_dma.h
+++ b/drivers/video/msm/mdss/mdp3_dma.h
@@ -16,6 +16,12 @@
 
 #include <linux/sched.h>
 
+#define MDP_HISTOGRAM_BL_SCALE_MAX 1024
+#define MDP_HISTOGRAM_BL_LEVEL_MAX 255
+#define MDP_HISTOGRAM_FRAME_COUNT_MAX 0x20
+#define MDP_HISTOGRAM_BIT_MASK_MAX 0x4
+#define MDP_HISTOGRAM_CSC_MATRIX_MAX 0x2000
+#define MDP_HISTOGRAM_CSC_VECTOR_MAX 0x200
 #define MDP_HISTOGRAM_BIN_NUM	32
 #define MDP_LUT_SIZE 256
 
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From ecc8116e1befb3a764109f47ba0389434ddabbe4 Mon Sep 17 00:00:00 2001`
			`From: Terence Hampson <thampson@codeaurora.org>`
			`Date: Wed, 7 Aug 2013 16:54:51 -0400`
			`Subject: mdss: mdp3: validate histogram data passed in`

			`Data passed in from userspace should be validated to be within`
			`the appropriate ranges.`

			`Change-Id: I50ff818a2b03c1fff55f44403f0f1b67c26d9f0e`
			`Signed-off-by: Terence Hampson <thampson@codeaurora.org>`
			`---`
			`drivers/video/msm/mdss/mdp3_ctrl.c \| 77 +++++++++++++++++++++++++++++++++++---`
			`drivers/video/msm/mdss/mdp3_dma.c \| 2 +-`
			`drivers/video/msm/mdss/mdp3_dma.h \| 6 +++`
			`3 files changed, 79 insertions(+), 6 deletions(-)`

			`diff --git a/drivers/video/msm/mdss/mdp3_ctrl.c b/drivers/video/msm/mdss/mdp3_ctrl.c`
			`index 74e6983c..31aae26 100644`
			`--- a/drivers/video/msm/mdss/mdp3_ctrl.c`
			`+++ b/drivers/video/msm/mdss/mdp3_ctrl.c`
			`@@ -775,6 +775,64 @@ static int mdp3_get_metadata(struct msm_fb_data_type *mfd,`
			`return ret;`
			`}`

			`+int mdp3_validate_start_req(struct mdp_histogram_start_req *req)`
			`+{`
			`+ if (req->frame_cnt >= MDP_HISTOGRAM_FRAME_COUNT_MAX) {`
			`+ pr_err("%s invalid req frame_cnt\n", __func__);`
			`+ return -EINVAL;`
			`+ }`
			`+ if (req->bit_mask >= MDP_HISTOGRAM_BIT_MASK_MAX) {`
			`+ pr_err("%s invalid req bit mask\n", __func__);`
			`+ return -EINVAL;`
			`+ }`
			`+ if (req->block != MDP_BLOCK_DMA_P \|\|`
			`+ req->num_bins != MDP_HISTOGRAM_BIN_NUM) {`
			`+ pr_err("mdp3_histogram_start invalid request\n");`
			`+ return -EINVAL;`
			`+ }`
			`+ return 0;`
			`+}`
			`+`
			`+int mdp3_validate_scale_config(struct mdp_bl_scale_data *data)`
			`+{`
			`+ if (data->scale > MDP_HISTOGRAM_BL_SCALE_MAX) {`
			`+ pr_err("%s invalid bl_scale\n", __func__);`
			`+ return -EINVAL;`
			`+ }`
			`+ if (data->min_lvl > MDP_HISTOGRAM_BL_LEVEL_MAX) {`
			`+ pr_err("%s invalid bl_min_lvl\n", __func__);`
			`+ return -EINVAL;`
			`+ }`
			`+ return 0;`
			`+}`
			`+`
			`+int mdp3_validate_csc_data(struct mdp_csc_cfg_data *data)`
			`+{`
			`+ int i;`
			`+ for (i = 0; i < 9; i++) {`
			`+ if (data->csc_data.csc_mv[i] >=`
			`+ MDP_HISTOGRAM_CSC_MATRIX_MAX)`
			`+ return -EINVAL;`
			`+ }`
			`+ for (i = 0; i < 3; i++) {`
			`+ if (data->csc_data.csc_pre_bv[i] >=`
			`+ MDP_HISTOGRAM_CSC_VECTOR_MAX)`
			`+ return -EINVAL;`
			`+ if (data->csc_data.csc_post_bv[i] >=`
			`+ MDP_HISTOGRAM_CSC_VECTOR_MAX)`
			`+ return -EINVAL;`
			`+ }`
			`+ for (i = 0; i < 6; i++) {`
			`+ if (data->csc_data.csc_pre_lv[i] >=`
			`+ MDP_HISTOGRAM_CSC_VECTOR_MAX)`
			`+ return -EINVAL;`
			`+ if (data->csc_data.csc_post_lv[i] >=`
			`+ MDP_HISTOGRAM_CSC_VECTOR_MAX)`
			`+ return -EINVAL;`
			`+ }`
			`+ return 0;`
			`+}`
			`+`
			`static int mdp3_histogram_start(struct mdp3_session_data *session,`
			`struct mdp_histogram_start_req *req)`
			`{`
			`@@ -782,11 +840,10 @@ static int mdp3_histogram_start(struct mdp3_session_data *session,`
			`struct mdp3_dma_histogram_config histo_config;`

			`pr_debug("mdp3_histogram_start\n");`
			`- if (req->block != MDP_BLOCK_DMA_P \|\|`
			`- req->num_bins != MDP_HISTOGRAM_BIN_NUM) {`
			`- pr_err("mdp3_histogram_start invalid request\n");`
			`- return -EINVAL;`
			`- }`
			`+`
			`+ ret = mdp3_validate_start_req(req);`
			`+ if (ret)`
			`+ return ret;`

			`if (!session->dma->histo_op \|\|`
			`!session->dma->config_histo) {`
			`@@ -986,10 +1043,20 @@ static int mdp3_pp_ioctl(struct msm_fb_data_type *mfd,`

			`switch (mdp_pp.op) {`
			`case mdp_bl_scale_cfg:`
			`+ ret = mdp3_validate_scale_config(&mdp_pp.data.bl_scale_data);`
			`+ if (ret) {`
			`+ pr_err("%s: invalid scale config\n", __func__);`
			`+ break;`
			`+ }`
			`ret = mdp3_bl_scale_config(mfd, (struct mdp_bl_scale_data *)`
			`&mdp_pp.data.bl_scale_data);`
			`break;`
			`case mdp_op_csc_cfg:`
			`+ ret = mdp3_validate_csc_data(&(mdp_pp.data.csc_cfg_data));`
			`+ if (ret) {`
			`+ pr_err("%s: invalid csc data\n", __func__);`
			`+ break;`
			`+ }`
			`ret = mdp3_csc_config(mdp3_session,`
			`&(mdp_pp.data.csc_cfg_data));`
			`break;`
			`diff --git a/drivers/video/msm/mdss/mdp3_dma.c b/drivers/video/msm/mdss/mdp3_dma.c`
			`index 3e1bf5d..d3f1538 100644`
			`--- a/drivers/video/msm/mdss/mdp3_dma.c`
			`+++ b/drivers/video/msm/mdss/mdp3_dma.c`
			`@@ -497,7 +497,7 @@ static int mdp3_dmap_histo_config(struct mdp3_dma *dma,`
			`struct mdp3_dma_histogram_config *histo_config)`
			`{`
			`unsigned long flag;`
			`- u32 histo_bit_mask, histo_control;`
			`+ u32 histo_bit_mask = 0, histo_control = 0;`
			`u32 histo_isr_mask = MDP3_DMA_P_HIST_INTR_HIST_DONE_BIT \|`
			`MDP3_DMA_P_HIST_INTR_RESET_DONE_BIT;`

			`diff --git a/drivers/video/msm/mdss/mdp3_dma.h b/drivers/video/msm/mdss/mdp3_dma.h`
			`index e4a28dc..7dd6ba7 100644`
			`--- a/drivers/video/msm/mdss/mdp3_dma.h`
			`+++ b/drivers/video/msm/mdss/mdp3_dma.h`
			`@@ -16,6 +16,12 @@`

			`#include <linux/sched.h>`

			`+#define MDP_HISTOGRAM_BL_SCALE_MAX 1024`
			`+#define MDP_HISTOGRAM_BL_LEVEL_MAX 255`
			`+#define MDP_HISTOGRAM_FRAME_COUNT_MAX 0x20`
			`+#define MDP_HISTOGRAM_BIT_MASK_MAX 0x4`
			`+#define MDP_HISTOGRAM_CSC_MATRIX_MAX 0x2000`
			`+#define MDP_HISTOGRAM_CSC_VECTOR_MAX 0x200`
			`#define MDP_HISTOGRAM_BIN_NUM 32`
			`#define MDP_LUT_SIZE 256`

			`--`
			`cgit v1.1`