DivestOS/Patches/Linux_CVEs/CVE-2016-6756/ANY/0.patch

54 lines
1.8 KiB
Diff
Raw Normal View History

From f91d28dcba304c9f3af35b5bebaa26233c8c13a5 Mon Sep 17 00:00:00 2001
From: Suman Mukherjee <sumam@codeaurora.org>
Date: Thu, 29 Sep 2016 09:19:05 +0530
Subject: msm: camera: cpp: Add validation for v4l2 ioctl arguments
In CPP v4l2 ioctl command is made, if _IOC_DIR(cmd) is
_IOC_NONE, then the user-supplied argument arg is not checked
and an information disclosure is possible
CRs-Fixed: 1042068
Change-Id: Iddb291b10cdcb5c42ab8497e06c2ce47885cd5ab
Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
Signed-off-by: Sunid Wilson <sunidw@codeaurora.org>
---
drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
index ac0ba8e..964703c 100644
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
@@ -2495,14 +2495,14 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
break;
default:
if (ioctl_ptr == NULL) {
- pr_err("Wrong ioctl_ptr %pK\n", ioctl_ptr);
+ pr_err("Wrong ioctl_ptr for cmd %u\n", cmd);
return -EINVAL;
}
*ioctl_ptr = arg;
if ((*ioctl_ptr == NULL) ||
- ((*ioctl_ptr)->ioctl_ptr == NULL)) {
- pr_err("Wrong arg %pK\n", arg);
+ (*ioctl_ptr)->ioctl_ptr == NULL) {
+ pr_err("Error invalid ioctl argument cmd %u\n", cmd);
return -EINVAL;
}
break;
@@ -2542,6 +2542,10 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
pr_err("cpp_dev is null\n");
return -EINVAL;
}
+ if (_IOC_DIR(cmd) == _IOC_NONE) {
+ pr_err("Invalid ioctl/subdev cmd %u", cmd);
+ return -EINVAL;
+ }
rc = msm_cpp_validate_input(cmd, arg, &ioctl_ptr);
if (rc != 0) {
pr_err("input validation failed\n");
--
cgit v1.1