From 1f274b74c00187ba1c379971503f51944148b22f Mon Sep 17 00:00:00 2001
From: Lakshmi Narayana Kalavala <lkalaval@codeaurora.org>
Date: Thu, 25 Jul 2013 15:55:03 -0700
Subject: msm: camera: Fix possible out of bound writes in csi driver

The value csi_lane_mask which is uint16_t is controllable from userspace.
The while loop can loop for 2^16 - 1, Hence extract the required
bit combination from the userspace argument, used it for further
processing.

CRs-Fixed: 511976
Change-Id: I80b0fe7ac273352503d9705510f05debe6cbb10a
Signed-off-by: Lakshmi Narayana Kalavala <lkalaval@codeaurora.org>
---
 drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
index 21b9cdc..32cf0d3 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
@@ -423,7 +423,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
 				__LINE__, csi_lane_params);
 			return -EINVAL;
 		}
-		csi_lane_mask = csi_lane_params->csi_lane_mask;
+		csi_lane_mask = (csi_lane_params->csi_lane_mask & 0x1F);
 
 		CDBG("%s csiphy_params, lane assign %x mask = %x\n",
 			__func__,
@@ -436,7 +436,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
 		csiphy_dev->lane_mask[csiphy_dev->pdev->id] &=
 			~(csi_lane_mask);
 		i = 0;
-		while (csi_lane_mask & 0x1F) {
+		while (csi_lane_mask) {
 			if (csi_lane_mask & 0x1) {
 				msm_camera_io_w(0x0, csiphy_dev->base +
 					MIPI_CSIPHY_LNn_CFG2_ADDR + 0x40*i);
@@ -507,7 +507,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
 				__LINE__, csi_lane_params);
 			return -EINVAL;
 		}
-		csi_lane_mask = csi_lane_params->csi_lane_mask;
+		csi_lane_mask = (csi_lane_params->csi_lane_mask & 0x1F);
 
 		CDBG("%s csiphy_params, lane assign %x mask = %x\n",
 			__func__,
@@ -520,7 +520,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
 		csiphy_dev->lane_mask[csiphy_dev->pdev->id] &=
 			~(csi_lane_mask);
 		i = 0;
-		while (csi_lane_mask & 0x1F) {
+		while (csi_lane_mask) {
 			if (csi_lane_mask & 0x1) {
 				msm_camera_io_w(0x0, csiphy_dev->base +
 					MIPI_CSIPHY_LNn_CFG2_ADDR + 0x40*i);
-- 
cgit v1.1