From 6266f954a52641f550ef71653ea83c80bdd083be Mon Sep 17 00:00:00 2001
From: Ravi Kishore Tanuku <rktanuku@codeaurora.org>
Date: Fri, 29 May 2015 11:49:26 +0530
Subject: msm: camera: cci: Add out of boundary check

While optimizing the cci transactions, we compare
i2c addresses in consecutive commands using pointer
to command.
   if (cmd->reg_addr + 1 ==(cmd+1)->reg_addr)
Here, we need to have a out of boundary
check to see if the pointer to that command does not
go out of bounds.

==================================================================
BUG: KASan: out of bounds access in msm_cci_i2c_write+0x644/0xe64 at addr ffffffc01ef225d0
Read of size 2 by task mm-qcamera-daem/6458
=============================================================================
BUG kmalloc-2048 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Slab 0xffffffbc027bc800 objects=16 used=16 fp=0x          (null) flags=0x4080
INFO: Object 0xffffffc01ef22000 @offset=8192 fp=0x0000000000000101
Call trace:
[<ffffffc000089dd0>] dump_backtrace+0x0/0x174
[<ffffffc000089f54>] show_stack+0x10/0x1c
[<ffffffc000f7bc34>] dump_stack+0x1c/0x28
[<ffffffc0001bcbf4>] print_trailer+0x138/0x14c
[<ffffffc0001bd02c>] object_err+0x38/0x4c
[<ffffffc0001c1cb4>] kasan_report_error+0x21c/0x3f0
[<ffffffc0001c1f88>] kasan_report+0x68/0x78
[<ffffffc0001c11d0>] __asan_load2+0x78/0x84
[<ffffffc0008f6c7c>] msm_cci_i2c_write+0x640/0xe64
[<ffffffc0008f83ac>] msm_cci_config+0xde0/0x18fc
[<ffffffc0008f8f50>] msm_cci_subdev_ioctl+0x88/0xdc
[<ffffffc0008fb2a4>] msm_camera_cci_i2c_write_table+0x100/0x198
[<ffffffc00091d5d0>] msm_sensor_config32+0x684/0xe64
[<ffffffc00091bc94>] msm_sensor_subdev_ioctl+0xf8/0x28c
[<ffffffc00091be64>] msm_sensor_subdev_do_ioctl+0x3c/0x48
[<ffffffc000882cf0>] video_usercopy+0x2e8/0x4d4
[<ffffffc00091a8f0>] msm_sensor_subdev_fops_ioctl+0x10/0x1c
[<ffffffc0008908d4>] v4l2_compat_ioctl32+0x668/0x684
[<ffffffc00022611c>] compat_sys_ioctl+0x13c/0x1998
Memory state around the buggy address:
 ffffffc01ef22480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc01ef22500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc01ef22580: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
                                                 ^
 ffffffc01ef22600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffffffc01ef22680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Change-Id: Id835bf3276c91cd80c3ef59e6648a6d6792d2567
Signed-off-by: Ravi Kishore Tanuku <rktanuku@codeaurora.org>
---
 drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
index 86561ce..05a4c0b 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
@@ -330,7 +330,7 @@ static int32_t msm_cci_calc_cmd_len(struct cci_device *cci_dev,
 		pack_max_len = size < (cci_dev->payload_size-len) ?
 			size : (cci_dev->payload_size-len);
 		for (i = 0; i < pack_max_len;) {
-			if (cmd->delay)
+			if (cmd->delay || ((cmd - i2c_cmd) >= (cmd_size-1)))
 				break;
 			if (cmd->reg_addr + 1 ==
 				(cmd+1)->reg_addr) {
-- 
cgit v1.1