mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
93 lines
3.3 KiB
Diff
93 lines
3.3 KiB
Diff
From 96145eb5f0631f0e105d47abebc8f940f7621eeb Mon Sep 17 00:00:00 2001
|
|
From: Rajesh Bondugula <rajeshb@codeaurora.org>
|
|
Date: Tue, 15 Nov 2016 13:52:49 -0800
|
|
Subject: msm: camera: sensor: Validate eeprom_name string length
|
|
|
|
Validate eeprom_name string length before copying into
|
|
the userspace buffer.
|
|
If more data than required is copied, userspace has the access to
|
|
some of kernel data which is not intended.
|
|
|
|
This change will fix the issue.
|
|
|
|
CRs-Fixed: 1090007
|
|
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
|
|
Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
|
|
---
|
|
.../msm/camera_v2/sensor/eeprom/msm_eeprom.c | 22 ++++++++++++++++++----
|
|
include/uapi/media/msm_cam_sensor.h | 2 +-
|
|
2 files changed, 19 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
|
|
index 1f891ac..037e8b5 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
|
|
@@ -617,6 +617,7 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
|
|
struct msm_eeprom_cfg_data *cdata =
|
|
(struct msm_eeprom_cfg_data *)argp;
|
|
int rc = 0;
|
|
+ size_t length = 0;
|
|
|
|
CDBG("%s E\n", __func__);
|
|
switch (cdata->cfgtype) {
|
|
@@ -629,9 +630,15 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
|
|
}
|
|
CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
|
|
cdata->is_supported = e_ctrl->is_supported;
|
|
+ length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
|
|
+ if (length > MAX_EEPROM_NAME) {
|
|
+ pr_err("%s:%d invalid eeprom_name length %d\n",
|
|
+ __func__, __LINE__, (int)length);
|
|
+ rc = -EINVAL;
|
|
+ break;
|
|
+ }
|
|
memcpy(cdata->cfg.eeprom_name,
|
|
- e_ctrl->eboard_info->eeprom_name,
|
|
- sizeof(cdata->cfg.eeprom_name));
|
|
+ e_ctrl->eboard_info->eeprom_name, length);
|
|
break;
|
|
case CFG_EEPROM_GET_CAL_DATA:
|
|
CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);
|
|
@@ -1479,6 +1486,7 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl,
|
|
struct msm_eeprom_cfg_data32 *cdata =
|
|
(struct msm_eeprom_cfg_data32 *)argp;
|
|
int rc = 0;
|
|
+ size_t length = 0;
|
|
|
|
CDBG("%s E\n", __func__);
|
|
switch (cdata->cfgtype) {
|
|
@@ -1491,9 +1499,15 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl,
|
|
}
|
|
CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
|
|
cdata->is_supported = e_ctrl->is_supported;
|
|
+ length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
|
|
+ if (length > MAX_EEPROM_NAME) {
|
|
+ pr_err("%s:%d invalid eeprom_name length %d\n",
|
|
+ __func__, __LINE__, (int)length);
|
|
+ rc = -EINVAL;
|
|
+ break;
|
|
+ }
|
|
memcpy(cdata->cfg.eeprom_name,
|
|
- e_ctrl->eboard_info->eeprom_name,
|
|
- sizeof(cdata->cfg.eeprom_name));
|
|
+ e_ctrl->eboard_info->eeprom_name, length);
|
|
break;
|
|
case CFG_EEPROM_GET_CAL_DATA:
|
|
CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);
|
|
diff --git a/include/uapi/media/msm_cam_sensor.h b/include/uapi/media/msm_cam_sensor.h
|
|
index 540a96c..b8f4b41 100644
|
|
--- a/include/uapi/media/msm_cam_sensor.h
|
|
+++ b/include/uapi/media/msm_cam_sensor.h
|
|
@@ -290,7 +290,7 @@ struct msm_eeprom_cfg_data {
|
|
enum eeprom_cfg_type_t cfgtype;
|
|
uint8_t is_supported;
|
|
union {
|
|
- char eeprom_name[MAX_SENSOR_NAME];
|
|
+ char eeprom_name[MAX_EEPROM_NAME];
|
|
struct eeprom_get_t get_data;
|
|
struct eeprom_read_t read_data;
|
|
struct eeprom_write_t write_data;
|
|
--
|
|
cgit v1.1
|
|
|