DivestOS/Patches/Linux_CVEs/CVE-2016-6740/3.10/1.patch
2017-10-29 22:14:37 -04:00

139 lines
4.9 KiB
Diff

From ef78bd62f0c064ae4c827e158d828b2c110ebcdc Mon Sep 17 00:00:00 2001
From: VijayaKumar T M <vtmuni@codeaurora.org>
Date: Tue, 6 Sep 2016 12:04:57 +0530
Subject: msm: sensor: Avoid potential stack overflow
Add a check to validate the user input data is not
greater than expected stack buffer size to avoid out
of bounds array accesses
-Fix checkpatch.pl warnings.
CRs-Fixed: 1056307
Change-Id: I8b31006772367a120828269243b1971d33a4d7d3
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
---
.../platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c | 13 ++++++++++++-
.../platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c | 13 ++++++++++++-
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
index 07b7e32..c0ac738 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -361,6 +361,12 @@ int32_t msm_camera_cci_i2c_write_seq_table(
client_addr_type = client->addr_type;
client->addr_type = write_setting->addr_type;
+ if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) {
+ pr_err("%s: number of bytes %u exceeding the max supported %d\n",
+ __func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX);
+ return rc;
+ }
+
for (i = 0; i < write_setting->size; i++) {
rc = msm_camera_cci_i2c_write_seq(client, reg_setting->reg_addr,
reg_setting->reg_data, reg_setting->reg_data_size);
@@ -418,6 +424,7 @@ static int32_t msm_camera_cci_i2c_compare(struct msm_camera_i2c_client *client,
int32_t rc;
uint16_t reg_data = 0;
int data_len = 0;
+
switch (data_type) {
case MSM_CAMERA_I2C_BYTE_DATA:
case MSM_CAMERA_I2C_WORD_DATA:
@@ -472,6 +479,7 @@ int32_t msm_camera_cci_i2c_poll(struct msm_camera_i2c_client *client,
enum msm_camera_i2c_data_type data_type)
{
int32_t rc;
+
S_I2C_DBG("%s: addr: 0x%x data: 0x%x dt: %d\n",
__func__, addr, data, data_type);
@@ -515,6 +523,7 @@ static int32_t msm_camera_cci_i2c_set_write_mask_data(
{
int32_t rc;
uint16_t reg_data;
+
CDBG("%s\n", __func__);
if (mask == -1)
return 0;
@@ -544,8 +553,10 @@ int32_t msm_camera_cci_i2c_write_conf_tbl(
{
int i;
int32_t rc = -EFAULT;
+
for (i = 0; i < size; i++) {
enum msm_camera_i2c_data_type dt;
+
if (reg_conf_tbl->cmd_type == MSM_CAMERA_I2C_CMD_POLL) {
rc = msm_camera_cci_i2c_poll(client,
reg_conf_tbl->reg_addr,
diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
index ee0e9ba..2c606cc3 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011, 2013-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011, 2013-2016, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -505,6 +505,12 @@ int32_t msm_camera_qup_i2c_write_seq_table(struct msm_camera_i2c_client *client,
client_addr_type = client->addr_type;
client->addr_type = write_setting->addr_type;
+ if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) {
+ pr_err("%s: number of bytes %u exceeding the max supported %d\n",
+ __func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX);
+ return rc;
+ }
+
for (i = 0; i < write_setting->size; i++) {
rc = msm_camera_qup_i2c_write_seq(client, reg_setting->reg_addr,
reg_setting->reg_data, reg_setting->reg_data_size);
@@ -560,6 +566,7 @@ static int32_t msm_camera_qup_i2c_compare(struct msm_camera_i2c_client *client,
int32_t rc;
uint16_t reg_data = 0;
int data_len = 0;
+
switch (data_type) {
case MSM_CAMERA_I2C_BYTE_DATA:
case MSM_CAMERA_I2C_WORD_DATA:
@@ -615,6 +622,7 @@ int32_t msm_camera_qup_i2c_poll(struct msm_camera_i2c_client *client,
{
int32_t rc;
int i;
+
S_I2C_DBG("%s: addr: 0x%x data: 0x%x dt: %d\n",
__func__, addr, data, data_type);
@@ -663,6 +671,7 @@ static int32_t msm_camera_qup_i2c_set_write_mask_data(
{
int32_t rc;
uint16_t reg_data;
+
CDBG("%s\n", __func__);
if (mask == -1)
return 0;
@@ -693,9 +702,11 @@ int32_t msm_camera_qup_i2c_write_conf_tbl(
{
int i;
int32_t rc = -EFAULT;
+
pr_err("%s, E. ", __func__);
for (i = 0; i < size; i++) {
enum msm_camera_i2c_data_type dt;
+
if (reg_conf_tbl->cmd_type == MSM_CAMERA_I2C_CMD_POLL) {
rc = msm_camera_qup_i2c_poll(client,
reg_conf_tbl->reg_addr,
--
cgit v1.1