From 8236d6ebc7e26361ca7078cbeba01509f10941d8 Mon Sep 17 00:00:00 2001 From: Rajesh Bondugula Date: Tue, 22 Nov 2016 11:04:04 -0800 Subject: msm: camera: flash: Validate the power setting size Validate the power setting size before copying. If userspace sends a value which is greater than MAX_POWER_CONFIG, then the driver accesses unintended memory. This change will fix the issue. CRs-Fixed: 1093232 Signed-off-by: Rajesh Bondugula Change-Id: Ia49963248a94765baa19695294b197ea6f3bb8e2 --- drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c index 5f749bd..6c8826b 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c +++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c @@ -269,6 +269,16 @@ static int32_t msm_flash_i2c_init( flash_ctrl->power_info.power_down_setting_size = flash_ctrl->power_setting_array.size_down; + if ((flash_ctrl->power_info.power_setting_size > MAX_POWER_CONFIG) || + (flash_ctrl->power_info.power_down_setting_size > MAX_POWER_CONFIG)) { + pr_err("%s:%d invalid power setting size=%d size_down=%d\n", + __func__, __LINE__, + flash_ctrl->power_info.power_setting_size, + flash_ctrl->power_info.power_down_setting_size); + rc = -EINVAL; + goto msm_flash_i2c_init_fail; + } + rc = msm_camera_power_up(&flash_ctrl->power_info, flash_ctrl->flash_device_type, &flash_ctrl->flash_i2c_client); -- cgit v1.1