From fe297dc01f7ea95bb1bff25f6fc4257f0ef832ff Mon Sep 17 00:00:00 2001
From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Date: Wed, 29 Jun 2016 14:34:31 +0530
Subject: msm: camera: Fix memory read security flaw

Adds bound check on reg_cfg_cmd->u.dmi_info.hi_tbl_offset.

IOCTL VIDIOC_MSM_VFE_REG_CFG uses usersupplied value without
performing bounds check for following cmd_type.
VFE_READ_DMI_16BIT
VFE_READ_DMI_32BIT
VFE_READ_DMI_64BIT

Change-Id: I554c45ef3a172f5b5891b67a7e8e7a1f3f3882ed
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
---
 drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
index 7ea77dd..4f4884a 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
@@ -969,7 +969,8 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
 	case VFE_READ_DMI_16BIT:
 	case VFE_READ_DMI_32BIT:
 	case VFE_READ_DMI_64BIT: {
-		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
+		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT ||
+			reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
 			if ((reg_cfg_cmd->u.dmi_info.hi_tbl_offset <=
 				reg_cfg_cmd->u.dmi_info.lo_tbl_offset) ||
 				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset -
-- 
cgit v1.1