Evolution-X-Devices/kernel_xiaomi_raphael
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

msm: ais: isp: validate in_port before accessing

Browse Source 
in_port information we getting from the UMD and accessing
it directly without validation which might lead to
corruption and device failure.

Change-Id: I0b406cdffd2f71ee5324905e29ae86994c19cef8
Signed-off-by: E V Ravi <evenka@codeaurora.org>
This commit is contained in:
E V Ravi
2020-05-04 15:36:29 +05:30
committed by Gerrit - the friendly Code Review server
parent 3964164902
commit 698ee3d927
1 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
drivers/media/platform/msm/ais/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
View File

@@ -1,4 +1,4 @@
/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.
/* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -1792,18 +1792,36 @@ err:
static int cam_ife_mgr_check_and_update_fe(
struct cam_ife_hw_mgr_ctx *ife_ctx,
struct cam_isp_acquire_hw_info *acquire_hw_info)
struct cam_isp_acquire_hw_info *acquire_hw_info,
uint32_t acquire_info_size)
{
int i;
struct cam_isp_in_port_info *in_port = NULL;
uint32_t in_port_length = 0;
uint32_t total_in_port_length = 0;
if (acquire_hw_info->input_info_offset >=
acquire_hw_info->input_info_size) {
CAM_ERR(CAM_ISP,
"Invalid size offset 0x%x is greater then size 0x%x",
acquire_hw_info->input_info_offset,
acquire_hw_info->input_info_size);
return -EINVAL;
}
in_port = (struct cam_isp_in_port_info *)
((uint8_t *)&acquire_hw_info->data +
acquire_hw_info->input_info_offset);
for (i = 0; i < acquire_hw_info->num_inputs; i++) {
if (((uint8_t *)in_port +
sizeof(struct cam_isp_in_port_info)) >
((uint8_t *)acquire_hw_info +
acquire_info_size)) {
CAM_ERR(CAM_ISP, "Invalid size");
return -EINVAL;
}
if ((in_port->num_out_res > CAM_IFE_HW_OUT_RES_MAX) ||
(in_port->num_out_res <= 0)) {
CAM_ERR(CAM_ISP, "Invalid num output res %u",
@@ -2063,7 +2081,8 @@ static int cam_ife_mgr_acquire_hw(void *hw_mgr_priv, void *acquire_hw_args)
acquire_hw_info =
(struct cam_isp_acquire_hw_info *)acquire_args->acquire_info;
rc = cam_ife_mgr_check_and_update_fe(ife_ctx, acquire_hw_info);
rc = cam_ife_mgr_check_and_update_fe(ife_ctx, acquire_hw_info,
acquire_args->acquire_info_size);
if (rc) {
CAM_ERR(CAM_ISP, "buffer size is not enough");
goto free_cdm;