DivestOS/Patches/Linux_CVEs/CVE-2013-6123/ANY/0002.patch
2017-11-07 17:32:46 -05:00

68 lines
2.4 KiB
Diff

From 60e4af06161d91d5aeaa04c7d6e9f4345a6acdd4 Mon Sep 17 00:00:00 2001
From: Alok Kediya <kediya@codeaurora.org>
Date: Thu, 10 Oct 2013 12:11:01 +0530
Subject: msm:camera: Bounds and validity check for params
Check the range and validity of parameters before accessing.
CRs-fixed: 550607, 554434, 554436
Change-Id: I2d6aec4f9cb9385789c0df6a2c4abefe9e87539f
Signed-off-by: Alok Kediya <kediya@codeaurora.org>
---
drivers/media/video/msm/server/msm_cam_server.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/drivers/media/video/msm/server/msm_cam_server.c b/drivers/media/video/msm/server/msm_cam_server.c
index 4bda7a3..5fc8e83 100644
--- a/drivers/media/video/msm/server/msm_cam_server.c
+++ b/drivers/media/video/msm/server/msm_cam_server.c
@@ -311,6 +311,13 @@ static int msm_ctrl_cmd_done(void *arg)
goto ctrl_cmd_done_error;
}
+ if(command->queue_idx < 0 ||
+ command->queue_idx >= MAX_NUM_ACTIVE_CAMERA) {
+ pr_err("%s: Invalid value OR index %d\n", __func__,
+ command->queue_idx);
+ goto ctrl_cmd_done_error;
+ }
+
if (!g_server_dev.server_queue[command->queue_idx].queue_active) {
pr_err("%s: Invalid queue\n", __func__);
goto ctrl_cmd_done_error;
@@ -339,7 +346,8 @@ static int msm_ctrl_cmd_done(void *arg)
max_control_command_size);
goto ctrl_cmd_done_error;
}
- if (copy_from_user(command->value, uptr, command->length)) {
+ if (copy_from_user(command->value, (void __user *)uptr,
+ command->length)) {
pr_err("%s: copy_from_user failed, size=%d\n",
__func__, sizeof(struct msm_ctrl_cmd));
goto ctrl_cmd_done_error;
@@ -2650,13 +2658,17 @@ int msm_server_send_ctrl(struct msm_ctrl_cmd *out,
struct msm_queue_cmd *event_qcmd;
struct msm_ctrl_cmd *ctrlcmd;
struct msm_cam_server_dev *server_dev = &g_server_dev;
- struct msm_device_queue *queue =
- &server_dev->server_queue[out->queue_idx].ctrl_q;
-
+ struct msm_device_queue *queue;
struct v4l2_event v4l2_evt;
struct msm_isp_event_ctrl *isp_event;
void *ctrlcmd_data;
+ if(out->queue_idx < 0 || out->queue_idx >= MAX_NUM_ACTIVE_CAMERA) {
+ pr_err("%s: Invalid index %d\n", __func__, out->queue_idx);
+ return -EINVAL;
+ }
+ queue = &server_dev->server_queue[out->queue_idx].ctrl_q;
+
event_qcmd = kzalloc(sizeof(struct msm_queue_cmd), GFP_KERNEL);
if (!event_qcmd) {
pr_err("%s Insufficient memory. return", __func__);
--
cgit v1.1