DivestOS/Patches/Linux_CVEs/CVE-2015-8941/ANY/0001.patch
2017-11-07 17:32:46 -05:00

160 lines
5.8 KiB
Diff

From d4d4d1dd626b21e68e78395bab3382c1eb04877f Mon Sep 17 00:00:00 2001
From: Petar Sivenov <psiven@codeaurora.org>
Date: Tue, 10 Feb 2015 13:46:18 +0200
Subject: msm:camera:isp: fix array index bound checks
This change fixes several incorrect or missing array index bound checks.
Change-Id: Icd96555c01330ec11e94c6173d8df1973fe39c33
Signed-off-by: Petar Sivenov <psiven@codeaurora.org>
---
.../platform/msm/camera_v2/isp/msm_isp_axi_util.c | 56 ++++++++++++++--------
1 file changed, 36 insertions(+), 20 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
index e3be614..bc993cd 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
@@ -368,8 +368,8 @@ int msm_isp_axi_check_stream_state(
return -EINVAL;
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
- > MAX_NUM_STREAM) {
+ if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
+ MAX_NUM_STREAM) {
return -EINVAL;
}
stream_info = &axi_data->stream_info[
@@ -676,8 +676,10 @@ int msm_isp_request_axi_stream(struct vfe_device *vfe_dev, void *arg)
&vfe_dev->axi_data, stream_cfg_cmd);
if (rc) {
pr_err("%s: Request validation failed\n", __func__);
- msm_isp_axi_destroy_stream(&vfe_dev->axi_data,
- HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle));
+ if (HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle) <
+ MAX_NUM_STREAM)
+ msm_isp_axi_destroy_stream(&vfe_dev->axi_data,
+ HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle));
return rc;
}
stream_info = &vfe_dev->axi_data.
@@ -748,11 +750,17 @@ int msm_isp_release_axi_stream(struct vfe_device *vfe_dev, void *arg)
int rc = 0, i;
struct msm_vfe_axi_stream_release_cmd *stream_release_cmd = arg;
struct msm_vfe_axi_shared_data *axi_data = &vfe_dev->axi_data;
- struct msm_vfe_axi_stream *stream_info =
- &axi_data->stream_info[
- HANDLE_TO_IDX(stream_release_cmd->stream_handle)];
+ struct msm_vfe_axi_stream *stream_info;
struct msm_vfe_axi_stream_cfg_cmd stream_cfg;
+
+ if (HANDLE_TO_IDX(stream_release_cmd->stream_handle) >=
+ MAX_NUM_STREAM) {
+ pr_err("%s: Invalid stream handle\n", __func__);
+ return -EINVAL;
+ }
+ stream_info = &axi_data->stream_info[
+ HANDLE_TO_IDX(stream_release_cmd->stream_handle)];
if (stream_info->state == AVALIABLE) {
pr_err("%s: Stream already released\n", __func__);
return -EINVAL;
@@ -1069,6 +1077,11 @@ static void msm_isp_process_done_buf(struct vfe_device *vfe_dev,
uint8_t drop_frame = 0;
memset(&buf_event, 0, sizeof(buf_event));
+ if (stream_idx >= MAX_NUM_STREAM) {
+ pr_err("%s: Invalid stream_idx", __func__);
+ return;
+ }
+
frame_id = vfe_dev->axi_data.
src_info[SRC_TO_INTF(stream_info->stream_src)].frame_id;
@@ -1235,8 +1248,8 @@ static void msm_isp_update_camif_output_count(
return;
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
- > MAX_NUM_STREAM) {
+ if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
+ MAX_NUM_STREAM) {
return;
}
stream_info =
@@ -1535,8 +1548,8 @@ static int msm_isp_axi_update_cgc_override(struct vfe_device *vfe_dev,
return -EINVAL;
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
- > MAX_NUM_STREAM) {
+ if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
+ MAX_NUM_STREAM) {
return -EINVAL;
}
stream_info = &axi_data->stream_info[
@@ -1567,8 +1580,8 @@ static int msm_isp_start_axi_stream(struct vfe_device *vfe_dev,
return -EINVAL;
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
- > MAX_NUM_STREAM) {
+ if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
+ MAX_NUM_STREAM) {
return -EINVAL;
}
stream_info = &axi_data->stream_info[
@@ -1651,8 +1664,8 @@ static int msm_isp_stop_axi_stream(struct vfe_device *vfe_dev,
return -EINVAL;
for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i])
- > MAX_NUM_STREAM) {
+ if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
+ MAX_NUM_STREAM) {
return -EINVAL;
}
stream_info = &axi_data->stream_info[
@@ -1916,8 +1929,8 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
for (i = 0; i < update_cmd->num_streams; i++) {
update_info = &update_cmd->update_info[i];
/*check array reference bounds*/
- if (HANDLE_TO_IDX(update_info->stream_handle)
- > MAX_NUM_STREAM) {
+ if (HANDLE_TO_IDX(update_info->stream_handle) >=
+ MAX_NUM_STREAM) {
return -EINVAL;
}
stream_info = &axi_data->stream_info[
@@ -2082,7 +2095,9 @@ void msm_isp_process_axi_irq(struct vfe_device *vfe_dev,
comp_info = &axi_data->composite_info[i];
wm_mask &= ~(comp_info->stream_composite_mask);
if (comp_mask & (1 << i)) {
- if (!comp_info->stream_handle) {
+ stream_idx = HANDLE_TO_IDX(comp_info->stream_handle);
+ if ((!comp_info->stream_handle) ||
+ (stream_idx >= MAX_NUM_STREAM)) {
pr_err("%s: Invalid handle for composite irq\n",
__func__);
continue;
@@ -2118,12 +2133,13 @@ void msm_isp_process_axi_irq(struct vfe_device *vfe_dev,
for (i = 0; i < axi_data->hw_info->num_wm; i++) {
if (wm_mask & (1 << i)) {
- if (!axi_data->free_wm[i]) {
+ stream_idx = HANDLE_TO_IDX(axi_data->free_wm[i]);
+ if ((!axi_data->free_wm[i]) ||
+ (stream_idx >= MAX_NUM_STREAM)) {
pr_err("%s: Invalid handle for wm irq\n",
__func__);
continue;
}
- stream_idx = HANDLE_TO_IDX(axi_data->free_wm[i]);
stream_info = &axi_data->stream_info[stream_idx];
ISP_DBG("%s: stream id %x frame id: 0x%x\n", __func__,
stream_info->stream_id, stream_info->frame_id);
--
cgit v1.1