DivestOS/Patches/Linux_CVEs/CVE-2017-0631/ANY/0001.patch
2017-11-07 17:32:46 -05:00

42 lines
1.6 KiB
Diff

From 8236d6ebc7e26361ca7078cbeba01509f10941d8 Mon Sep 17 00:00:00 2001
From: Rajesh Bondugula <rajeshb@codeaurora.org>
Date: Tue, 22 Nov 2016 11:04:04 -0800
Subject: msm: camera: flash: Validate the power setting size
Validate the power setting size before copying.
If userspace sends a value which is greater than
MAX_POWER_CONFIG, then the driver accesses unintended memory.
This change will fix the issue.
CRs-Fixed: 1093232
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: Ia49963248a94765baa19695294b197ea6f3bb8e2
---
drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
index 5f749bd..6c8826b 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
@@ -269,6 +269,16 @@ static int32_t msm_flash_i2c_init(
flash_ctrl->power_info.power_down_setting_size =
flash_ctrl->power_setting_array.size_down;
+ if ((flash_ctrl->power_info.power_setting_size > MAX_POWER_CONFIG) ||
+ (flash_ctrl->power_info.power_down_setting_size > MAX_POWER_CONFIG)) {
+ pr_err("%s:%d invalid power setting size=%d size_down=%d\n",
+ __func__, __LINE__,
+ flash_ctrl->power_info.power_setting_size,
+ flash_ctrl->power_info.power_down_setting_size);
+ rc = -EINVAL;
+ goto msm_flash_i2c_init_fail;
+ }
+
rc = msm_camera_power_up(&flash_ctrl->power_info,
flash_ctrl->flash_device_type,
&flash_ctrl->flash_i2c_client);
--
cgit v1.1