From 2fb303d9c6ca080f253b10ed9384293ca69ad32b Mon Sep 17 00:00:00 2001 From: Vasko Kalanoski Date: Tue, 8 Oct 2013 10:50:32 -0700 Subject: msm: actuator: fix to prevent kernel heap buffer overflow fix to prevent kernel heap buffer overflow allows user controlled data to be written to the heap via the msm_camera actuator IOCTLs Change-Id: I4458831e28e0081fb2f5ae55506be866100e1b4f Signed-off-by: Vasko Kalanoski --- .../platform/msm/camera_v2/sensor/actuator/msm_actuator.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c index baa2db8..e605326 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c +++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c @@ -79,6 +79,11 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl, struct msm_camera_i2c_reg_array *i2c_tbl = a_ctrl->i2c_reg_tbl; CDBG("Enter\n"); for (i = 0; i < size; i++) { + /* check that the index into i2c_tbl cannot grow larger that + the allocated size of i2c_tbl */ + if ((a_ctrl->total_steps + 1) < (a_ctrl->i2c_tbl_index)) { + break; + } if (write_arr[i].reg_write_type == MSM_ACTUATOR_WRITE_DAC) { value = (next_lens_position << write_arr[i].data_shift) | @@ -464,8 +469,11 @@ static int32_t msm_actuator_init(struct msm_actuator_ctrl_t *a_ctrl, a_ctrl->i2c_data_type = set_info->actuator_params.i2c_data_type; a_ctrl->i2c_client.addr_type = set_info->actuator_params.i2c_addr_type; - a_ctrl->reg_tbl_size = set_info->actuator_params.reg_tbl_size; - if (a_ctrl->reg_tbl_size > MAX_ACTUATOR_REG_TBL_SIZE) { + if (set_info->actuator_params.reg_tbl_size <= + MAX_ACTUATOR_REG_TBL_SIZE) { + a_ctrl->reg_tbl_size = set_info->actuator_params.reg_tbl_size; + } else { + a_ctrl->reg_tbl_size = 0; pr_err("MAX_ACTUATOR_REG_TBL_SIZE is exceeded.\n"); return -EFAULT; } -- cgit v1.1