mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-30 01:46:30 -05:00
63 lines
2.3 KiB
Diff
63 lines
2.3 KiB
Diff
From eba46cb98431ba1d7a6bd859f26f6ad03f1bf4d4 Mon Sep 17 00:00:00 2001
|
|
From: Rajesh Bondugula <rajeshb@codeaurora.org>
|
|
Date: Tue, 15 Nov 2016 14:55:35 -0800
|
|
Subject: msm: camera: eeprom: Validate the power setting size
|
|
|
|
Validate the power setting size before copying.
|
|
If userspace sends a value which is greater than
|
|
MAX_POWER_CONFIG, then the driver accesses unintended memory.
|
|
This change will fix the issue.
|
|
|
|
Crs-Fixed: 1089433
|
|
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
|
|
Change-Id: Iaaa6f5b3c1c2ac5b5b38b3ac407d6ae394bba780
|
|
---
|
|
.../msm/camera_v2/sensor/eeprom/msm_eeprom.c | 24 +++++++++-------------
|
|
1 file changed, 10 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
|
|
index 037e8b5..dd2f919 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
|
|
@@ -1409,6 +1409,16 @@ static int eeprom_init_config32(struct msm_eeprom_ctrl_t *e_ctrl,
|
|
|
|
power_info = &(e_ctrl->eboard_info->power_info);
|
|
|
|
+ if ((power_setting_array32->size > MAX_POWER_CONFIG) ||
|
|
+ (power_setting_array32->size_down > MAX_POWER_CONFIG) ||
|
|
+ (!power_setting_array32->size) ||
|
|
+ (!power_setting_array32->size_down)) {
|
|
+ pr_err("%s:%d invalid power setting size=%d size_down=%d\n",
|
|
+ __func__, __LINE__, power_setting_array32->size,
|
|
+ power_setting_array32->size_down);
|
|
+ rc = -EINVAL;
|
|
+ goto free_mem;
|
|
+ }
|
|
msm_eeprom_copy_power_settings_compat(
|
|
power_setting_array,
|
|
power_setting_array32);
|
|
@@ -1423,20 +1433,6 @@ static int eeprom_init_config32(struct msm_eeprom_ctrl_t *e_ctrl,
|
|
power_info->power_down_setting_size =
|
|
power_setting_array->size_down;
|
|
|
|
- if ((power_info->power_setting_size >
|
|
- MAX_POWER_CONFIG) ||
|
|
- (power_info->power_down_setting_size >
|
|
- MAX_POWER_CONFIG) ||
|
|
- (!power_info->power_down_setting_size) ||
|
|
- (!power_info->power_setting_size)) {
|
|
- rc = -EINVAL;
|
|
- pr_err("%s:%d Invalid power setting size :%d, %d\n",
|
|
- __func__, __LINE__,
|
|
- power_info->power_setting_size,
|
|
- power_info->power_down_setting_size);
|
|
- goto free_mem;
|
|
- }
|
|
-
|
|
if (e_ctrl->i2c_client.cci_client) {
|
|
e_ctrl->i2c_client.cci_client->i2c_freq_mode =
|
|
cdata32->cfg.eeprom_info.i2c_freq_mode;
|
|
--
|
|
cgit v1.1
|
|
|