mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-07-08 20:31:57 +00:00
138 lines
4.6 KiB
Diff
138 lines
4.6 KiB
Diff
From 80a1d9978c11f76bbe6d2e622bf2ded18f27e34f Mon Sep 17 00:00:00 2001
|
|
From: VijayaKumar T M <vtmuni@codeaurora.org>
|
|
Date: Wed, 7 Sep 2016 12:53:43 +0530
|
|
Subject: msm: camera: Restructure data handling to be more robust
|
|
|
|
Use dynamic array allocation instead of static array to
|
|
prevent stack overflow.
|
|
User-supplied number of bytes may result in integer overflow.
|
|
To fix this we check that the num_byte isn't above 8K size.
|
|
|
|
CRs-Fixed: 1060554
|
|
Change-Id: I9b05b846e5cc3a62b1a0a67be529f09abc764796
|
|
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
|
|
---
|
|
.../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c | 6 ++++
|
|
.../msm/camera_v2/sensor/io/msm_camera_qup_i2c.c | 39 ++++++++++++++++++++--
|
|
2 files changed, 43 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
|
|
index 07b7e32..f970233 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
|
|
@@ -71,6 +71,12 @@ int32_t msm_camera_cci_i2c_read_seq(struct msm_camera_i2c_client *client,
|
|
|| num_byte == 0)
|
|
return rc;
|
|
|
|
+ if (num_byte > I2C_REG_DATA_MAX) {
|
|
+ pr_err("%s: Error num_byte:0x%x exceeds 8K max supported:0x%x\n",
|
|
+ __func__, num_byte, I2C_REG_DATA_MAX);
|
|
+ return rc;
|
|
+ }
|
|
+
|
|
buf = kzalloc(num_byte, GFP_KERNEL);
|
|
if (!buf) {
|
|
pr_err("%s:%d no memory\n", __func__, __LINE__);
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
|
|
index ee0e9ba..5fd11eb 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
|
|
@@ -102,7 +102,7 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
|
|
enum msm_camera_i2c_data_type data_type)
|
|
{
|
|
int32_t rc = -EFAULT;
|
|
- unsigned char buf[client->addr_type+data_type];
|
|
+ unsigned char *buf = NULL;
|
|
|
|
if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
|
|
&& client->addr_type != MSM_CAMERA_I2C_WORD_ADDR)
|
|
@@ -110,6 +110,17 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
|
|
&& data_type != MSM_CAMERA_I2C_WORD_DATA))
|
|
return rc;
|
|
|
|
+ if (client->addr_type > UINT_MAX - data_type) {
|
|
+ pr_err("%s: integer overflow prevented\n", __func__);
|
|
+ return rc;
|
|
+ }
|
|
+
|
|
+ buf = kzalloc(client->addr_type+data_type, GFP_KERNEL);
|
|
+ if (!buf) {
|
|
+ pr_err("%s:%d no memory\n", __func__, __LINE__);
|
|
+ return -ENOMEM;
|
|
+ }
|
|
+
|
|
if (client->addr_type == MSM_CAMERA_I2C_BYTE_ADDR) {
|
|
buf[0] = addr;
|
|
} else if (client->addr_type == MSM_CAMERA_I2C_WORD_ADDR) {
|
|
@@ -119,6 +130,8 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
|
|
rc = msm_camera_qup_i2c_rxdata(client, buf, data_type);
|
|
if (rc < 0) {
|
|
S_I2C_DBG("%s fail\n", __func__);
|
|
+ kfree(buf);
|
|
+ buf = NULL;
|
|
return rc;
|
|
}
|
|
|
|
@@ -128,6 +141,8 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
|
|
*data = buf[0] << 8 | buf[1];
|
|
|
|
S_I2C_DBG("%s addr = 0x%x data: 0x%x\n", __func__, addr, *data);
|
|
+ kfree(buf);
|
|
+ buf = NULL;
|
|
return rc;
|
|
}
|
|
|
|
@@ -135,7 +150,7 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
|
|
uint32_t addr, uint8_t *data, uint32_t num_byte)
|
|
{
|
|
int32_t rc = -EFAULT;
|
|
- unsigned char buf[client->addr_type+num_byte];
|
|
+ unsigned char *buf = NULL;
|
|
int i;
|
|
|
|
if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
|
|
@@ -143,6 +158,22 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
|
|
|| num_byte == 0)
|
|
return rc;
|
|
|
|
+ if (num_byte > I2C_REG_DATA_MAX) {
|
|
+ pr_err("%s: Error num_byte:0x%x exceeds 8K max supported:0x%x\n",
|
|
+ __func__, num_byte, I2C_REG_DATA_MAX);
|
|
+ return rc;
|
|
+ }
|
|
+ if (client->addr_type > UINT_MAX - num_byte) {
|
|
+ pr_err("%s: integer overflow prevented\n", __func__);
|
|
+ return rc;
|
|
+ }
|
|
+
|
|
+ buf = kzalloc(client->addr_type+num_byte, GFP_KERNEL);
|
|
+ if (!buf) {
|
|
+ pr_err("%s:%d no memory\n", __func__, __LINE__);
|
|
+ return -ENOMEM;
|
|
+ }
|
|
+
|
|
if (client->addr_type == MSM_CAMERA_I2C_BYTE_ADDR) {
|
|
buf[0] = addr;
|
|
} else if (client->addr_type == MSM_CAMERA_I2C_WORD_ADDR) {
|
|
@@ -152,6 +183,8 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
|
|
rc = msm_camera_qup_i2c_rxdata(client, buf, num_byte);
|
|
if (rc < 0) {
|
|
S_I2C_DBG("%s fail\n", __func__);
|
|
+ kfree(buf);
|
|
+ buf = NULL;
|
|
return rc;
|
|
}
|
|
|
|
@@ -161,6 +194,8 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
|
|
S_I2C_DBG("Byte %d: 0x%x\n", i, buf[i]);
|
|
S_I2C_DBG("Data: 0x%x\n", data[i]);
|
|
}
|
|
+ kfree(buf);
|
|
+ buf = NULL;
|
|
return rc;
|
|
}
|
|
|
|
--
|
|
cgit v1.1
|
|
|