Update Linux CVE patches

2025-10-04 09:28:29 -04:00 · 2017-10-29 22:14:37 -04:00 · 2017-10-29 22:14:37 -04:00 · 3989a1b20b
commit 3989a1b20b
parent 12b63c12b7
958 changed files with 21074 additions and 397 deletions
--- a/Patches/Linux_CVEs/CVE-2016-6741/3.10/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-6741/3.10/0.patch
@ -0,0 +1,137 @@
+From 80a1d9978c11f76bbe6d2e622bf2ded18f27e34f Mon Sep 17 00:00:00 2001
+From: VijayaKumar T M <vtmuni@codeaurora.org>
+Date: Wed, 7 Sep 2016 12:53:43 +0530
+Subject: msm: camera: Restructure data handling to be more robust
+
+Use dynamic array allocation instead of static array to
+prevent stack overflow.
+User-supplied number of bytes may result in integer overflow.
+To fix this we check that the num_byte isn't above 8K size.
+
+CRs-Fixed: 1060554
+Change-Id: I9b05b846e5cc3a62b1a0a67be529f09abc764796
+Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
+---
+ .../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c   |  6 ++++
+ .../msm/camera_v2/sensor/io/msm_camera_qup_i2c.c   | 39 ++++++++++++++++++++--
+ 2 files changed, 43 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+index 07b7e32..f970233 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+@@ -71,6 +71,12 @@ int32_t msm_camera_cci_i2c_read_seq(struct msm_camera_i2c_client *client,
+ 		|| num_byte == 0)
+ 		return rc;
+ 
+	if (num_byte > I2C_REG_DATA_MAX) {
+		pr_err("%s: Error num_byte:0x%x exceeds 8K max supported:0x%x\n",
+			__func__, num_byte, I2C_REG_DATA_MAX);
+		return rc;
+	}
+
+ 	buf = kzalloc(num_byte, GFP_KERNEL);
+ 	if (!buf) {
+ 		pr_err("%s:%d no memory\n", __func__, __LINE__);
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
+index ee0e9ba..5fd11eb 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
+@@ -102,7 +102,7 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
+ 	enum msm_camera_i2c_data_type data_type)
+ {
+ 	int32_t rc = -EFAULT;
+-	unsigned char buf[client->addr_type+data_type];
+	unsigned char *buf = NULL;
+ 
+ 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
+ 		&& client->addr_type != MSM_CAMERA_I2C_WORD_ADDR)
+@@ -110,6 +110,17 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
+ 		&& data_type != MSM_CAMERA_I2C_WORD_DATA))
+ 		return rc;
+ 
+	if (client->addr_type > UINT_MAX - data_type) {
+		pr_err("%s: integer overflow prevented\n", __func__);
+		return rc;
+	}
+
+	buf = kzalloc(client->addr_type+data_type, GFP_KERNEL);
+	if (!buf) {
+		pr_err("%s:%d no memory\n", __func__, __LINE__);
+		return -ENOMEM;
+	}
+
+ 	if (client->addr_type == MSM_CAMERA_I2C_BYTE_ADDR) {
+ 		buf[0] = addr;
+ 	} else if (client->addr_type == MSM_CAMERA_I2C_WORD_ADDR) {
+@@ -119,6 +130,8 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
+ 	rc = msm_camera_qup_i2c_rxdata(client, buf, data_type);
+ 	if (rc < 0) {
+ 		S_I2C_DBG("%s fail\n", __func__);
+		kfree(buf);
+		buf = NULL;
+ 		return rc;
+ 	}
+ 
+@@ -128,6 +141,8 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
+ 		*data = buf[0] << 8 | buf[1];
+ 
+ 	S_I2C_DBG("%s addr = 0x%x data: 0x%x\n", __func__, addr, *data);
+	kfree(buf);
+	buf = NULL;
+ 	return rc;
+ }
+ 
+@@ -135,7 +150,7 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
+ 	uint32_t addr, uint8_t *data, uint32_t num_byte)
+ {
+ 	int32_t rc = -EFAULT;
+-	unsigned char buf[client->addr_type+num_byte];
+	unsigned char *buf = NULL;
+ 	int i;
+ 
+ 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
+@@ -143,6 +158,22 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
+ 		|| num_byte == 0)
+ 		return rc;
+ 
+	if (num_byte > I2C_REG_DATA_MAX) {
+		pr_err("%s: Error num_byte:0x%x exceeds 8K max supported:0x%x\n",
+			__func__, num_byte, I2C_REG_DATA_MAX);
+		return rc;
+	}
+	if (client->addr_type > UINT_MAX - num_byte) {
+		pr_err("%s: integer overflow prevented\n", __func__);
+		return rc;
+	}
+
+	buf = kzalloc(client->addr_type+num_byte, GFP_KERNEL);
+	if (!buf) {
+		pr_err("%s:%d no memory\n", __func__, __LINE__);
+		return -ENOMEM;
+	}
+
+ 	if (client->addr_type == MSM_CAMERA_I2C_BYTE_ADDR) {
+ 		buf[0] = addr;
+ 	} else if (client->addr_type == MSM_CAMERA_I2C_WORD_ADDR) {
+@@ -152,6 +183,8 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
+ 	rc = msm_camera_qup_i2c_rxdata(client, buf, num_byte);
+ 	if (rc < 0) {
+ 		S_I2C_DBG("%s fail\n", __func__);
+		kfree(buf);
+		buf = NULL;
+ 		return rc;
+ 	}
+ 
+@@ -161,6 +194,8 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
+ 		S_I2C_DBG("Byte %d: 0x%x\n", i, buf[i]);
+ 		S_I2C_DBG("Data: 0x%x\n", data[i]);
+ 	}
+	kfree(buf);
+	buf = NULL;
+ 	return rc;
+ }
+ 
+-- 
+cgit v1.1
+