DivestOS/Patches/Linux_CVEs/CVE-2014-9889/0.patch

86 lines
2.9 KiB
Diff

From b0c2274b13a0487e72e57342a842a99a15149fb9 Mon Sep 17 00:00:00 2001
From: Iliya Varadzhakov <ivarad@codeaurora.org>
Date: Thu, 19 Jun 2014 20:03:00 -0700
Subject: msm: cpp: Validate frame message before manipulating it
CPP frame message is used to send all frame data
to Microcontroller. It is sent every frame. CPP kernel
driver has to add information to it before transfer it.
The message has to be validated before manipulations.
If it is not valid the message and corresponding frame
are discarded.
Change-Id: Id272eb2296233c66befd015f41f19a9fbc551572
Signed-off-by: Iliya Varadzhakov <ivarad@codeaurora.org>
---
.../platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 24 ++++++++++++++++++++++
include/media/msmb_pproc.h | 3 ++-
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
index a7589e4..5b17a4d 100644
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
@@ -1436,6 +1436,18 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
}
cpp_frame_msg = new_frame->cpp_cmd_msg;
+ if (cpp_frame_msg == NULL ||
+ (new_frame->msg_len < MSM_CPP_MIN_FRAME_LENGTH)) {
+ pr_err("%s %d Length is not correct or frame message is missing\n",
+ __func__, __LINE__);
+ return -EINVAL;
+ }
+
+ if (cpp_frame_msg[new_frame->msg_len - 1] != MSM_CPP_MSG_ID_TRAILER) {
+ pr_err("%s %d Invalid frame message\n", __func__, __LINE__);
+ return -EINVAL;
+ }
+
in_phyaddr = msm_cpp_fetch_buffer_info(cpp_dev,
&new_frame->input_buffer_info,
((new_frame->input_buffer_info.identity >> 16) & 0xFFFF),
@@ -1532,6 +1544,12 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
goto phyaddr_err;
}
+ if ((stripe_base + num_stripes*27 + 1) != new_frame->msg_len) {
+ pr_err("Invalid frame message\n");
+ rc = -EINVAL;
+ goto phyaddr_err;
+ }
+
for (i = 0; i < num_stripes; i++) {
cpp_frame_msg[stripe_base + 5 + i*27] +=
(uint32_t) in_phyaddr;
@@ -1572,6 +1590,12 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
stripe_base = STRIPE_BASE_FW_1_8_0;
+ if ((stripe_base + num_stripes*48 + 1) != new_frame->msg_len) {
+ pr_err("Invalid frame message\n");
+ rc = -EINVAL;
+ goto phyaddr_err;
+ }
+
for (i = 0; i < num_stripes; i++) {
cpp_frame_msg[stripe_base + 8 + i * 48] +=
diff --git a/include/media/msmb_pproc.h b/include/media/msmb_pproc.h
index 118ec30..3137aaa 100644
--- a/include/media/msmb_pproc.h
+++ b/include/media/msmb_pproc.h
@@ -16,7 +16,8 @@
#define MAX_NUM_CPP_STRIPS 8
#define MSM_CPP_MAX_NUM_PLANES 3
-#define MSM_CPP_MAX_FRAME_LENGTH 1024
+#define MSM_CPP_MIN_FRAME_LENGTH 13
+#define MSM_CPP_MAX_FRAME_LENGTH 2048
#define MSM_CPP_MAX_FW_NAME_LEN 32
#define MAX_FREQ_TBL 10
--
cgit v1.1