Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
1b74baddf0
DivestOS/Patches/Linux_CVEs/CVE-2013-4736/ANY/0002.patch
Tad 11c7037780 Switch to new CVE patchset
2017-11-07 17:32:46 -05:00

126 lines
4.3 KiB
Diff
Raw Blame History

From 8c5300aec8cd9882b89e9d169680221541da0d7f Mon Sep 17 00:00:00 2001
From: Monika Alekhya <malekh@codeaurora.org>
Date: Fri, 28 Jun 2013 18:23:40 +0530
Subject: msm:camera: Fix overflow issue in ioctl_hw_cmds function
'len' is of type signed int 32bit,but the assigned value
may exceed maximum unsigned int32 range.Add overflow check
and graceful exit if 'm'exceeds UINT32_MAX value.
Change-Id: I38f0d10a0cb44d08d0054f91044fc891c246ebd1
CRs-Fixed: 493314
Signed-off-by: Monika Alekhya <malekh@codeaurora.org>
---
drivers/media/video/msm/gemini/msm_gemini_sync.c | 9 ++++++++-
drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c | 10 ++++++++--
drivers/media/video/msm/mercury/msm_mercury_sync.c | 10 ++++++++--
3 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/drivers/media/video/msm/gemini/msm_gemini_sync.c b/drivers/media/video/msm/gemini/msm_gemini_sync.c
index ef727fd..f5089ae 100644
--- a/drivers/media/video/msm/gemini/msm_gemini_sync.c
+++ b/drivers/media/video/msm/gemini/msm_gemini_sync.c
@@ -23,6 +23,7 @@
#include <mach/msm_bus.h>
#include <mach/msm_bus_board.h>
+# define UINT32_MAX (4294967295U)
static int release_buf;
/* size is based on 4k page size */
@@ -804,7 +805,7 @@ int msm_gemini_ioctl_hw_cmds(struct msm_gemini_device *pgmn_dev,
void * __user arg)
{
int is_copy_to_user;
- int len;
+ uint32_t len;
uint32_t m;
struct msm_gemini_hw_cmds *hw_cmds_p;
struct msm_gemini_hw_cmd *hw_cmd_p;
@@ -813,6 +814,12 @@ int msm_gemini_ioctl_hw_cmds(struct msm_gemini_device *pgmn_dev,
GMN_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
return -EFAULT;
}
+ if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_gemini_hw_cmds))/
+ sizeof(struct msm_gemini_hw_cmd)))) {
+ GMN_PR_ERR("%s:%d] outof range of hwcmds\n",
+ __func__, __LINE__);
+ return -EINVAL;
+ }
len = sizeof(struct msm_gemini_hw_cmds) +
sizeof(struct msm_gemini_hw_cmd) * (m - 1);
diff --git a/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c b/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
index 6ac4a5e..4a81fa6 100644
--- a/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
+++ b/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
@@ -22,6 +22,7 @@
#include "msm_jpeg_platform.h"
#include "msm_jpeg_common.h"
+#define UINT32_MAX (4294967295U)
static int release_buf;
inline void msm_jpeg_q_init(char const *name, struct msm_jpeg_q *q_p)
@@ -631,7 +632,7 @@ int msm_jpeg_ioctl_hw_cmds(struct msm_jpeg_device *pgmn_dev,
void * __user arg)
{
int is_copy_to_user;
- int len;
+ uint32_t len;
uint32_t m;
struct msm_jpeg_hw_cmds *hw_cmds_p;
struct msm_jpeg_hw_cmd *hw_cmd_p;
@@ -640,7 +641,12 @@ int msm_jpeg_ioctl_hw_cmds(struct msm_jpeg_device *pgmn_dev,
JPEG_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
return -EFAULT;
}
-
+ if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_jpeg_hw_cmds))/
+ sizeof(struct msm_jpeg_hw_cmd)))) {
+ JPEG_PR_ERR("%s:%d] outof range of hwcmds\n",
+ __func__, __LINE__);
+ return -EINVAL;
+ }
len = sizeof(struct msm_jpeg_hw_cmds) +
sizeof(struct msm_jpeg_hw_cmd) * (m - 1);
hw_cmds_p = kmalloc(len, GFP_KERNEL);
diff --git a/drivers/media/video/msm/mercury/msm_mercury_sync.c b/drivers/media/video/msm/mercury/msm_mercury_sync.c
index 9293aad..fe74a0a 100644
--- a/drivers/media/video/msm/mercury/msm_mercury_sync.c
+++ b/drivers/media/video/msm/mercury/msm_mercury_sync.c
@@ -24,6 +24,7 @@
#include "msm_mercury_macros.h"
#include "msm_mercury_hw_reg.h"
+#define UINT32_MAX (4294967295U)
static struct msm_mercury_core_buf out_buf_local;
static struct msm_mercury_core_buf in_buf_local;
@@ -470,7 +471,7 @@ int msm_mercury_ioctl_hw_cmds(struct msm_mercury_device *pmercury_dev,
void * __user arg)
{
int is_copy_to_user;
- int len;
+ uint32_t len;
uint32_t m;
struct msm_mercury_hw_cmds *hw_cmds_p;
struct msm_mercury_hw_cmd *hw_cmd_p;
@@ -479,7 +480,12 @@ int msm_mercury_ioctl_hw_cmds(struct msm_mercury_device *pmercury_dev,
MCR_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
return -EFAULT;
}
-
+ if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_mercury_hw_cmds))/
+ sizeof(struct msm_mercury_hw_cmd)))) {
+ MCR_PR_ERR("%s:%d] outof range of hwcmds\n",
+ __func__, __LINE__);
+ return -EINVAL;
+ }
len = sizeof(struct msm_mercury_hw_cmds) +
sizeof(struct msm_mercury_hw_cmd) * (m - 1);
hw_cmds_p = kmalloc(len, GFP_KERNEL);
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink