mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-26 16:09:23 -05:00
139 lines
4.9 KiB
Diff
139 lines
4.9 KiB
Diff
From ef78bd62f0c064ae4c827e158d828b2c110ebcdc Mon Sep 17 00:00:00 2001
|
|
From: VijayaKumar T M <vtmuni@codeaurora.org>
|
|
Date: Tue, 6 Sep 2016 12:04:57 +0530
|
|
Subject: msm: sensor: Avoid potential stack overflow
|
|
|
|
Add a check to validate the user input data is not
|
|
greater than expected stack buffer size to avoid out
|
|
of bounds array accesses
|
|
-Fix checkpatch.pl warnings.
|
|
|
|
CRs-Fixed: 1056307
|
|
Change-Id: I8b31006772367a120828269243b1971d33a4d7d3
|
|
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
|
|
---
|
|
.../platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c | 13 ++++++++++++-
|
|
.../platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c | 13 ++++++++++++-
|
|
2 files changed, 24 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
|
|
index 07b7e32..c0ac738 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
|
|
@@ -1,4 +1,4 @@
|
|
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
|
|
+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 and
|
|
@@ -361,6 +361,12 @@ int32_t msm_camera_cci_i2c_write_seq_table(
|
|
client_addr_type = client->addr_type;
|
|
client->addr_type = write_setting->addr_type;
|
|
|
|
+ if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) {
|
|
+ pr_err("%s: number of bytes %u exceeding the max supported %d\n",
|
|
+ __func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX);
|
|
+ return rc;
|
|
+ }
|
|
+
|
|
for (i = 0; i < write_setting->size; i++) {
|
|
rc = msm_camera_cci_i2c_write_seq(client, reg_setting->reg_addr,
|
|
reg_setting->reg_data, reg_setting->reg_data_size);
|
|
@@ -418,6 +424,7 @@ static int32_t msm_camera_cci_i2c_compare(struct msm_camera_i2c_client *client,
|
|
int32_t rc;
|
|
uint16_t reg_data = 0;
|
|
int data_len = 0;
|
|
+
|
|
switch (data_type) {
|
|
case MSM_CAMERA_I2C_BYTE_DATA:
|
|
case MSM_CAMERA_I2C_WORD_DATA:
|
|
@@ -472,6 +479,7 @@ int32_t msm_camera_cci_i2c_poll(struct msm_camera_i2c_client *client,
|
|
enum msm_camera_i2c_data_type data_type)
|
|
{
|
|
int32_t rc;
|
|
+
|
|
S_I2C_DBG("%s: addr: 0x%x data: 0x%x dt: %d\n",
|
|
__func__, addr, data, data_type);
|
|
|
|
@@ -515,6 +523,7 @@ static int32_t msm_camera_cci_i2c_set_write_mask_data(
|
|
{
|
|
int32_t rc;
|
|
uint16_t reg_data;
|
|
+
|
|
CDBG("%s\n", __func__);
|
|
if (mask == -1)
|
|
return 0;
|
|
@@ -544,8 +553,10 @@ int32_t msm_camera_cci_i2c_write_conf_tbl(
|
|
{
|
|
int i;
|
|
int32_t rc = -EFAULT;
|
|
+
|
|
for (i = 0; i < size; i++) {
|
|
enum msm_camera_i2c_data_type dt;
|
|
+
|
|
if (reg_conf_tbl->cmd_type == MSM_CAMERA_I2C_CMD_POLL) {
|
|
rc = msm_camera_cci_i2c_poll(client,
|
|
reg_conf_tbl->reg_addr,
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
|
|
index ee0e9ba..2c606cc3 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
|
|
@@ -1,4 +1,4 @@
|
|
-/* Copyright (c) 2011, 2013-2015, The Linux Foundation. All rights reserved.
|
|
+/* Copyright (c) 2011, 2013-2016, The Linux Foundation. All rights reserved.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 and
|
|
@@ -505,6 +505,12 @@ int32_t msm_camera_qup_i2c_write_seq_table(struct msm_camera_i2c_client *client,
|
|
client_addr_type = client->addr_type;
|
|
client->addr_type = write_setting->addr_type;
|
|
|
|
+ if (reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX) {
|
|
+ pr_err("%s: number of bytes %u exceeding the max supported %d\n",
|
|
+ __func__, reg_setting->reg_data_size, I2C_SEQ_REG_DATA_MAX);
|
|
+ return rc;
|
|
+ }
|
|
+
|
|
for (i = 0; i < write_setting->size; i++) {
|
|
rc = msm_camera_qup_i2c_write_seq(client, reg_setting->reg_addr,
|
|
reg_setting->reg_data, reg_setting->reg_data_size);
|
|
@@ -560,6 +566,7 @@ static int32_t msm_camera_qup_i2c_compare(struct msm_camera_i2c_client *client,
|
|
int32_t rc;
|
|
uint16_t reg_data = 0;
|
|
int data_len = 0;
|
|
+
|
|
switch (data_type) {
|
|
case MSM_CAMERA_I2C_BYTE_DATA:
|
|
case MSM_CAMERA_I2C_WORD_DATA:
|
|
@@ -615,6 +622,7 @@ int32_t msm_camera_qup_i2c_poll(struct msm_camera_i2c_client *client,
|
|
{
|
|
int32_t rc;
|
|
int i;
|
|
+
|
|
S_I2C_DBG("%s: addr: 0x%x data: 0x%x dt: %d\n",
|
|
__func__, addr, data, data_type);
|
|
|
|
@@ -663,6 +671,7 @@ static int32_t msm_camera_qup_i2c_set_write_mask_data(
|
|
{
|
|
int32_t rc;
|
|
uint16_t reg_data;
|
|
+
|
|
CDBG("%s\n", __func__);
|
|
if (mask == -1)
|
|
return 0;
|
|
@@ -693,9 +702,11 @@ int32_t msm_camera_qup_i2c_write_conf_tbl(
|
|
{
|
|
int i;
|
|
int32_t rc = -EFAULT;
|
|
+
|
|
pr_err("%s, E. ", __func__);
|
|
for (i = 0; i < size; i++) {
|
|
enum msm_camera_i2c_data_type dt;
|
|
+
|
|
if (reg_conf_tbl->cmd_type == MSM_CAMERA_I2C_CMD_POLL) {
|
|
rc = msm_camera_qup_i2c_poll(client,
|
|
reg_conf_tbl->reg_addr,
|
|
--
|
|
cgit v1.1
|
|
|