DivestOS/Patches/Linux_CVEs/CVE-2016-6740/3.18/0.patch

55 lines
2.4 KiB
Diff
Raw Normal View History

From a939a87f0adf91feceb329a5c080b86e1ee333c7 Mon Sep 17 00:00:00 2001
From: Samyukta Mogily <smogily@codeaurora.org>
Date: Thu, 1 Sep 2016 18:16:50 +0530
Subject: msm: sensor: Avoid potential stack overflow
Add a check to validate the user input data is not
greater than expected stack buffer size to avoid out
of bounds array accesses
CRs-Fixed: 1056307
Change-Id: Ifd1f4e828373535fdf963aad22b217ae880c778c
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
---
drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c | 6 ++++++
drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c | 6 ++++++
2 files changed, 12 insertions(+)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
index 7315327..99d4b654 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
@@ -272,6 +272,12 @@ int32_t msm_camera_cci_i2c_write_seq_table(
client_addr_type = client->addr_type;
client->addr_type = write_setting->addr_type;
+ if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) {
+ pr_err("%s: number of bytes %u exceeding the max supported %d\n",
+ __func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX);
+ return rc;
+ }
+
for (i = 0; i < write_setting->size; i++) {
rc = msm_camera_cci_i2c_write_seq(client, reg_setting->reg_addr,
reg_setting->reg_data, reg_setting->reg_data_size);
diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
index f542ec2..eced0ce 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
@@ -290,6 +290,12 @@ int32_t msm_camera_qup_i2c_write_seq_table(struct msm_camera_i2c_client *client,
client_addr_type = client->addr_type;
client->addr_type = write_setting->addr_type;
+ if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) {
+ pr_err("%s: number of bytes %u exceeding the max supported %d\n",
+ __func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX);
+ return rc;
+ }
+
for (i = 0; i < write_setting->size; i++) {
rc = msm_camera_qup_i2c_write_seq(client, reg_setting->reg_addr,
reg_setting->reg_data, reg_setting->reg_data_size);
--
cgit v1.1