From eba46cb98431ba1d7a6bd859f26f6ad03f1bf4d4 Mon Sep 17 00:00:00 2001
From: Rajesh Bondugula <rajeshb@codeaurora.org>
Date: Tue, 15 Nov 2016 14:55:35 -0800
Subject: msm: camera: eeprom: Validate the power setting size

Validate the power setting size before copying.
If userspace sends a value which is greater than
MAX_POWER_CONFIG, then the driver accesses unintended memory.
This change will fix the issue.

Crs-Fixed: 1089433
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: Iaaa6f5b3c1c2ac5b5b38b3ac407d6ae394bba780
---
 .../msm/camera_v2/sensor/eeprom/msm_eeprom.c       | 24 +++++++++-------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
index 037e8b5..dd2f919 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
@@ -1409,6 +1409,16 @@ static int eeprom_init_config32(struct msm_eeprom_ctrl_t *e_ctrl,
 
 	power_info = &(e_ctrl->eboard_info->power_info);
 
+	if ((power_setting_array32->size > MAX_POWER_CONFIG) ||
+		(power_setting_array32->size_down > MAX_POWER_CONFIG) ||
+		(!power_setting_array32->size) ||
+		(!power_setting_array32->size_down)) {
+		pr_err("%s:%d invalid power setting size=%d size_down=%d\n",
+			__func__, __LINE__, power_setting_array32->size,
+			power_setting_array32->size_down);
+		rc = -EINVAL;
+		goto free_mem;
+	}
 	msm_eeprom_copy_power_settings_compat(
 		power_setting_array,
 		power_setting_array32);
@@ -1423,20 +1433,6 @@ static int eeprom_init_config32(struct msm_eeprom_ctrl_t *e_ctrl,
 	power_info->power_down_setting_size =
 		power_setting_array->size_down;
 
-	if ((power_info->power_setting_size >
-		MAX_POWER_CONFIG) ||
-		(power_info->power_down_setting_size >
-		MAX_POWER_CONFIG) ||
-		(!power_info->power_down_setting_size) ||
-		(!power_info->power_setting_size)) {
-		rc = -EINVAL;
-		pr_err("%s:%d Invalid power setting size :%d, %d\n",
-			__func__, __LINE__,
-			power_info->power_setting_size,
-			power_info->power_down_setting_size);
-		goto free_mem;
-	}
-
 	if (e_ctrl->i2c_client.cci_client) {
 		e_ctrl->i2c_client.cci_client->i2c_freq_mode =
 			cdata32->cfg.eeprom_info.i2c_freq_mode;
-- 
cgit v1.1