DivestOS/Patches/Linux_CVEs/CVE-2016-6756/ANY/0.patch

From f91d28dcba304c9f3af35b5bebaa26233c8c13a5 Mon Sep 17 00:00:00 2001
From: Suman Mukherjee <sumam@codeaurora.org>
Date: Thu, 29 Sep 2016 09:19:05 +0530
Subject: msm: camera: cpp: Add validation for v4l2 ioctl arguments

In CPP v4l2 ioctl command is made, if _IOC_DIR(cmd) is
_IOC_NONE, then the user-supplied argument arg is not checked
and an information disclosure is possible
CRs-Fixed: 1042068

Change-Id: Iddb291b10cdcb5c42ab8497e06c2ce47885cd5ab
Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
Signed-off-by: Sunid Wilson <sunidw@codeaurora.org>
---
 drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
index ac0ba8e..964703c 100644
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
@@ -2495,14 +2495,14 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
 		break;
 	default:
 		if (ioctl_ptr == NULL) {
-			pr_err("Wrong ioctl_ptr %pK\n", ioctl_ptr);
+			pr_err("Wrong ioctl_ptr for cmd %u\n", cmd);
 			return -EINVAL;
 		}
 
 		*ioctl_ptr = arg;
 		if ((*ioctl_ptr == NULL) ||
-			((*ioctl_ptr)->ioctl_ptr == NULL)) {
-			pr_err("Wrong arg %pK\n", arg);
+			(*ioctl_ptr)->ioctl_ptr == NULL) {
+			pr_err("Error invalid ioctl argument cmd %u\n", cmd);
 			return -EINVAL;
 		}
 		break;
@@ -2542,6 +2542,10 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
 		pr_err("cpp_dev is null\n");
 		return -EINVAL;
 	}
+	if (_IOC_DIR(cmd) == _IOC_NONE) {
+		pr_err("Invalid ioctl/subdev cmd %u", cmd);
+		return -EINVAL;
+	}
 	rc = msm_cpp_validate_input(cmd, arg, &ioctl_ptr);
 	if (rc != 0) {
 		pr_err("input validation failed\n");
-- 
cgit v1.1