DivestOS/Patches/Linux_CVEs/CVE-2013-4738/ANY/0001.patch

From c9c81836ee44db9974007d34cf2aaeb1a51a8d45 Mon Sep 17 00:00:00 2001
From: Hariram Purushothaman <hpurus@codeaurora.org>
Date: Fri, 9 Aug 2013 11:21:50 -0700
Subject: msm: camera: Bound check length for Dequeue stream buff info

Bound check the length param from user space given to
copy_from_user function to avoid any invalid memory access.

Change-Id: I926509a5fffd49cfc0130d182f246fbb9335b60e
CRs-Fixed: 519124
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
---
 drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
index d302131..3aaff78 100644
--- a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
+++ b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
@@ -1323,6 +1323,11 @@ static long msm_vpe_subdev_ioctl(struct v4l2_subdev *sd,
 		struct msm_vpe_buff_queue_info_t *buff_queue_info;
 
 		VPE_DBG("VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO\n");
+		if (ioctl_ptr->len != sizeof(uint32_t)) {
+			pr_err("%s:%d Invalid len\n", __func__, __LINE__);
+			mutex_unlock(&vpe_dev->mutex);
+			return -EINVAL;
+		}
 
 		rc = (copy_from_user(&identity,
 				(void __user *)ioctl_ptr->ioctl_ptr,
-- 
cgit v1.1
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`From c9c81836ee44db9974007d34cf2aaeb1a51a8d45 Mon Sep 17 00:00:00 2001`
			`From: Hariram Purushothaman <hpurus@codeaurora.org>`
			`Date: Fri, 9 Aug 2013 11:21:50 -0700`
			`Subject: msm: camera: Bound check length for Dequeue stream buff info`

			`Bound check the length param from user space given to`
			`copy_from_user function to avoid any invalid memory access.`

			`Change-Id: I926509a5fffd49cfc0130d182f246fbb9335b60e`
			`CRs-Fixed: 519124`
			`Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>`
			`---`
			`drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c \| 5 +++++`
			`1 file changed, 5 insertions(+)`

			`diff --git a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c`
			`index d302131..3aaff78 100644`
			`--- a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c`
			`+++ b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c`
			`@@ -1323,6 +1323,11 @@ static long msm_vpe_subdev_ioctl(struct v4l2_subdev *sd,`
			`struct msm_vpe_buff_queue_info_t *buff_queue_info;`

			`VPE_DBG("VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO\n");`
			`+ if (ioctl_ptr->len != sizeof(uint32_t)) {`
			`+ pr_err("%s:%d Invalid len\n", __func__, __LINE__);`
			`+ mutex_unlock(&vpe_dev->mutex);`
			`+ return -EINVAL;`
			`+ }`

			`rc = (copy_from_user(&identity,`
			`(void __user *)ioctl_ptr->ioctl_ptr,`
			`--`
			`cgit v1.1`