DivestOS/Patches/Linux_CVEs/CVE-2016-6739/3.10/1.patch
2017-10-29 22:14:37 -04:00

63 lines
2.1 KiB
Diff

From ac8242269094729c464ac042a58603e01427e509 Mon Sep 17 00:00:00 2001
From: Rajakumar Govindaram <rajakuma@codeaurora.org>
Date: Thu, 15 Sep 2016 17:09:40 -0700
Subject: msm: camera: cpp: Validate frame message before manipulating it.
CPP frame message is used to send all frame data
to Microcontroller. It is sent every frame. CPP kernel
driver has to add information to it before transfer it.
The message has to be validated before manipulations.
If it is not valid the message and corresponding frame
are discarded.
b/30074605
CRs-Fixed: 1049826
Change-Id: I3e11ca7f6df4bb0d928512f81f3e3dc40fed791a
Signed-off-by: Rajakumar Govindaram <rajakuma@codeaurora.org>
---
.../platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 26 ++++++++++------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
index 964703c..7874cf6 100644
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
@@ -2184,21 +2184,19 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
return -EINVAL;
}
- if (!new_frame->partial_frame_indicator) {
- if (cpp_frame_msg[new_frame->msg_len - 1] !=
- MSM_CPP_MSG_ID_TRAILER) {
- pr_err("Invalid frame message\n");
- return -EINVAL;
- }
+ if (cpp_frame_msg[new_frame->msg_len - 1] !=
+ MSM_CPP_MSG_ID_TRAILER) {
+ pr_err("Invalid frame message\n");
+ return -EINVAL;
+ }
- if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
- new_frame->msg_len) {
- pr_err("Invalid frame message,len=%d,expected=%d\n",
- new_frame->msg_len,
- (stripe_base +
- new_frame->num_strips * stripe_size + 1));
- return -EINVAL;
- }
+ if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
+ new_frame->msg_len) {
+ pr_err("Invalid frame message,len=%d,expected=%d\n",
+ new_frame->msg_len,
+ (stripe_base +
+ new_frame->num_strips * stripe_size + 1));
+ return -EINVAL;
}
if (cpp_dev->iommu_state != CPP_IOMMU_STATE_ATTACHED) {
--
cgit v1.1