DivestOS/Patches/Linux_CVEs/CVE-2014-9866/ANY/0001.patch

46 lines
1.7 KiB
Diff
Raw Normal View History

From 8e6daae70422ad35146a87700e6634a747d1ff5d Mon Sep 17 00:00:00 2001
From: Hariram Purushothaman <hpurus@codeaurora.org>
Date: Tue, 16 Jul 2013 11:23:47 -0700
Subject: msm: camera: Bound check num_cid from userspace in csid driver
Upper and lower bound checks are enforced for num_cid
which is passed from userspace with lower as 1 and
max of 16.
Change-Id: Ic5456289cb2f2b4ea17610a7672eb2c5225b7954
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
---
drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
index 9aca234..229fdb2 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
@@ -440,7 +440,7 @@ static long msm_csid_cmd(struct csid_device *csid_dev, void *arg)
case CSID_CFG: {
struct msm_camera_csid_params csid_params;
struct msm_camera_csid_vc_cfg *vc_cfg = NULL;
- int32_t i = 0;
+ int8_t i = 0;
if (copy_from_user(&csid_params,
(void *)cdata->cfg.csid_params,
sizeof(struct msm_camera_csid_params))) {
@@ -448,6 +448,13 @@ static long msm_csid_cmd(struct csid_device *csid_dev, void *arg)
rc = -EFAULT;
break;
}
+ if (csid_params.lut_params.num_cid < 1 ||
+ csid_params.lut_params.num_cid > 16) {
+ pr_err("%s: %d num_cid outside range\n",
+ __func__, __LINE__);
+ rc = -EINVAL;
+ break;
+ }
for (i = 0; i < csid_params.lut_params.num_cid; i++) {
vc_cfg = kzalloc(csid_params.lut_params.num_cid *
sizeof(struct msm_camera_csid_vc_cfg),
--
cgit v1.1