DivestOS/Patches/Linux_CVEs-New/CVE-2016-3903/ANY/0.patch
2017-10-29 14:23:02 -04:00

58 lines
2.3 KiB
Diff

From b8874573428e8ce024f57c6242d662fcca5e5d55 Mon Sep 17 00:00:00 2001
From: VijayaKumar T M <vtmuni@codeaurora.org>
Date: Mon, 25 Jul 2016 11:53:19 +0530
Subject: msm: camera: sensor: Fix use after free condition
Add a check to return value before calling csid config which will
otherwise lead to use after free scenario.
CRs-Fixed: 1040857
Change-Id: I4f4d9e38eeb537875e0d01de0e99913a44dd3f3f
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
---
drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
index 5864096..7dd2959 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -518,7 +518,7 @@ static int32_t msm_csid_cmd(struct csid_device *csid_dev, void __user *arg)
break;
}
if (csid_params.lut_params.num_cid < 1 ||
- csid_params.lut_params.num_cid > 16) {
+ csid_params.lut_params.num_cid > MAX_CID) {
pr_err("%s: %d num_cid outside range\n",
__func__, __LINE__);
rc = -EINVAL;
@@ -547,6 +547,10 @@ static int32_t msm_csid_cmd(struct csid_device *csid_dev, void __user *arg)
csid_params.lut_params.vc_cfg[i] = vc_cfg;
}
csid_dev->csid_sof_debug = 0;
+ if (rc < 0) {
+ pr_err("%s:%d failed\n", __func__, __LINE__);
+ break;
+ }
rc = msm_csid_config(csid_dev, &csid_params);
for (i--; i >= 0; i--)
kfree(csid_params.lut_params.vc_cfg[i]);
@@ -658,7 +662,7 @@ static int32_t msm_csid_cmd32(struct csid_device *csid_dev, void __user *arg)
csid_params.lut_params.num_cid = lut_par32.num_cid;
if (csid_params.lut_params.num_cid < 1 ||
- csid_params.lut_params.num_cid > 16) {
+ csid_params.lut_params.num_cid > MAX_CID) {
pr_err("%s: %d num_cid outside range\n",
__func__, __LINE__);
rc = -EINVAL;
--
cgit v1.1