DivestOS/Patches/Linux_CVEs-New/CVE-2017-8253/ANY/0.patch
2017-10-29 14:23:02 -04:00

70 lines
2.4 KiB
Diff

From a5f07894058c4198f61e533d727b343c5be879b0 Mon Sep 17 00:00:00 2001
From: Rajesh Bondugula <rajeshb@codeaurora.org>
Date: Tue, 15 Nov 2016 12:26:47 -0800
Subject: msm: camera: sensor: Add boundary check for cci master
Add boundary check for cci master in i2c_read.
This value is passed from userpsace. If user sends an
invalid number for master there is a possibility of
accessing unintended buffer.
This change addresses the issue.
Crs-Fixed: 1086764
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: Ice3bde902aea96382ceb4dfddfd28a5ea89c183d
---
.../media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
index b1c2382..2412ed2 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
@@ -776,10 +776,18 @@ static int32_t msm_cci_i2c_read(struct v4l2_subdev *sd,
enum cci_i2c_queue_t queue = QUEUE_1;
struct cci_device *cci_dev = NULL;
struct msm_camera_cci_i2c_read_cfg *read_cfg = NULL;
+
CDBG("%s line %d\n", __func__, __LINE__);
cci_dev = v4l2_get_subdevdata(sd);
master = c_ctrl->cci_info->cci_i2c_master;
read_cfg = &c_ctrl->cfg.cci_i2c_read_cfg;
+
+ if (master >= MASTER_MAX || master < 0) {
+ pr_err("%s:%d Invalid I2C master %d\n",
+ __func__, __LINE__, master);
+ return -EINVAL;
+ }
+
mutex_lock(&cci_dev->cci_master_info[master].mutex_q[queue]);
/* Set the I2C Frequency */
@@ -1004,11 +1012,6 @@ static int32_t msm_cci_i2c_write(struct v4l2_subdev *sd,
enum cci_i2c_master_t master;
cci_dev = v4l2_get_subdevdata(sd);
- if (c_ctrl->cci_info->cci_i2c_master >= MASTER_MAX
- || c_ctrl->cci_info->cci_i2c_master < 0) {
- pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
- return -EINVAL;
- }
if (cci_dev->cci_state != CCI_STATE_ENABLED) {
pr_err("%s invalid cci state %d\n",
__func__, cci_dev->cci_state);
@@ -1539,6 +1542,11 @@ static int32_t msm_cci_write(struct v4l2_subdev *sd,
return rc;
}
+ if (c_ctrl->cci_info->cci_i2c_master >= MASTER_MAX
+ || c_ctrl->cci_info->cci_i2c_master < 0) {
+ pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
+ return -EINVAL;
+ }
master = c_ctrl->cci_info->cci_i2c_master;
cci_master_info = &cci_dev->cci_master_info[master];
--
cgit v1.1