Commit 2be8a035 authored May 21, 2019 by Prakasha Nayak Committed by Gerrit - the friendly Code Review server May 28, 2019

msm: camera: icp: Prevent out of bound access in acquire



In ICP during acquire, no of output resource can change
from usespace. Change in no of output resource after the
memory allocation may result in out of bound access.
This can be avoided by checking value of no of output
resource during the allocation to the value copied from
userspace after allocation.

CRs-Fixed: 2414577
Change-Id: I063f472a7176caf25a9bd86324160974a915ffd8
Signed-off-by: Prakasha Nayak <pnayak@codeaurora.org>

parent 88623cb4

drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -4217,6 +4217,12 @@ static int cam_icp_get_acquire_info(struct cam_icp_hw_mgr *hw_mgr,
		return -EFAULT;
		}

		/* To make sure num_out_res is same as allocated */
		if (ctx_data->icp_dev_acquire_info->num_out_res !=
		icp_dev_acquire_info.num_out_res) {
		CAM_ERR(CAM_ICP, "num_out_res got changed");
		return -EFAULT;
		}
		CAM_DBG(CAM_ICP, "%x %x %x %x %x %x %x %u",
		ctx_data->icp_dev_acquire_info->dev_type,
		ctx_data->icp_dev_acquire_info->in_res.format,