Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-09-18 19:54:51 -04:00
Code Issues Projects Releases Packages Wiki Activity

Switch to new CVE patchset

Browse source
This commit is contained in:
Tad 2017-11-07 17:32:46 -05:00
parent 57ce42402b
commit 11c7037780
1215 changed files with 60697 additions and 14533 deletions
Download patch file Download diff file Expand all files Collapse all files

57
Patches/Linux_CVEs/CVE-2017-11028/ANY/0001.patch Normal file
View file

@ -0,0 +1,57 @@
From fd70b655d901e626403f132b65fc03d993f0a09b Mon Sep 17 00:00:00 2001
From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
Date: Mon, 10 Apr 2017 15:11:14 +0530
Subject: msm: camera: isp: add bound check to handle array out of access
The pointer req_frm comes from userspace,
req_frm->stream_handle is passed as an argument to
the function msm_isp_get_stream_common_data,
stream_idx can overflow common_data->streams[] and
the code ends up copying an out of bound
kernel address into stream_info. Adding bound check to
handle the same.
CRs-fixed: 2008683
Change-Id: Ib4a059bfd573cdc4e18ce630b4091576ff8edc7e
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
---
drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 6 ++++++
drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h | 5 +++++
2 files changed, 11 insertions(+)
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
index dce474e..8ab2e85 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
@@ -3909,6 +3909,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
&update_cmd->req_frm_ver2;
stream_info = msm_isp_get_stream_common_data(vfe_dev,
HANDLE_TO_IDX(req_frm->stream_handle));
+ if (stream_info == NULL) {
+ pr_err_ratelimited("%s: stream_info is NULL\n",
+ __func__);
+ rc = -EINVAL;
+ break;
+ }
rc = msm_isp_request_frame(vfe_dev, stream_info,
req_frm->user_stream_id,
req_frm->frame_id,
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
index 65009cb..a8d4cfb 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
@@ -141,6 +141,11 @@ static inline struct msm_vfe_axi_stream *msm_isp_get_stream_common_data(
struct msm_vfe_common_dev_data *common_data = vfe_dev->common_data;
struct msm_vfe_axi_stream *stream_info;
+ if (stream_idx >= VFE_AXI_SRC_MAX) {
+ pr_err("invalid stream_idx %d\n", stream_idx);
+ return NULL;
+ }
+
if (vfe_dev->is_split && stream_idx < RDI_INTF_0)
stream_info = &common_data->streams[stream_idx];
else
--
cgit v1.1