Merge "msm: camera: isp: Prevent out of bounds read" (3b5a7d42) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/media/platform/msm/camera/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c

+71 −8

Original line number	Diff line number	Diff line
		@@ -2580,8 +2580,8 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
		struct cam_hw_prepare_update_args *prepare = NULL;

		if (!blob_data \|\| (blob_size == 0) \|\| !blob_info) {
		CAM_ERR(CAM_ISP, "Invalid info blob %pK %d prepare %pK",
		blob_data, blob_size, prepare);
		CAM_ERR(CAM_ISP, "Invalid args data %pK size %d info %pK",
		blob_data, blob_size, blob_info);
		return -EINVAL;
		}

		@@ -2600,8 +2600,29 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,

		switch (blob_type) {
		case CAM_ISP_GENERIC_BLOB_TYPE_HFR_CONFIG: {
		struct cam_isp_resource_hfr_config *hfr_config =
		(struct cam_isp_resource_hfr_config *)blob_data;
		struct cam_isp_resource_hfr_config *hfr_config;

		if (blob_size < sizeof(struct cam_isp_resource_hfr_config)) {
		CAM_ERR(CAM_ISP, "Invalid blob size %u", blob_size);
		return -EINVAL;
		}

		hfr_config = (struct cam_isp_resource_hfr_config *)blob_data;

		if (hfr_config->num_ports > CAM_ISP_IFE_OUT_RES_MAX) {
		CAM_ERR(CAM_ISP, "Invalid num_ports %u in hfr config",
		hfr_config->num_ports);
		return -EINVAL;
		}

		if (blob_size < (sizeof(uint32_t) * 2 + hfr_config->num_ports *
		sizeof(struct cam_isp_port_hfr_config))) {
		CAM_ERR(CAM_ISP, "Invalid blob size %u expected %lu",
		blob_size, (unsigned long)(sizeof(uint32_t)
		* 2 + sizeof(struct cam_isp_port_hfr_config) *
		hfr_config->num_ports));
		return -EINVAL;
		}

		rc = cam_isp_blob_hfr_update(blob_type, blob_info,
		hfr_config, prepare);
		@@ -2610,8 +2631,29 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
		}
		break;
		case CAM_ISP_GENERIC_BLOB_TYPE_CLOCK_CONFIG: {
		struct cam_isp_clock_config *clock_config =
		(struct cam_isp_clock_config *)blob_data;
		struct cam_isp_clock_config *clock_config;

		if (blob_size < sizeof(struct cam_isp_clock_config)) {
		CAM_ERR(CAM_ISP, "Invalid blob size %u", blob_size);
		return -EINVAL;
		}

		clock_config = (struct cam_isp_clock_config *)blob_data;

		if (clock_config->num_rdi > CAM_IFE_RDI_NUM_MAX) {
		CAM_ERR(CAM_ISP, "Invalid num_rdi %u in clock config",
		clock_config->num_rdi);
		return -EINVAL;
		}

		if (blob_size < (sizeof(uint32_t) * 2 + sizeof(uint64_t) *
		(clock_config->num_rdi + 2))) {
		CAM_ERR(CAM_ISP, "Invalid blob size %u expected %lu",
		blob_size, (unsigned long)(sizeof(uint32_t)
		* 2 + sizeof(uint64_t) *
		(clock_config->num_rdi + 2)));
		return -EINVAL;
		}

		rc = cam_isp_blob_clock_update(blob_type, blob_info,
		clock_config, prepare);
		@@ -2620,10 +2662,31 @@ static int cam_isp_packet_generic_blob_handler(void *user_data,
		}
		break;
		case CAM_ISP_GENERIC_BLOB_TYPE_BW_CONFIG: {
		struct cam_isp_bw_config *bw_config =
		(struct cam_isp_bw_config *)blob_data;
		struct cam_isp_bw_config *bw_config;
		struct cam_isp_prepare_hw_update_data *prepare_hw_data;

		if (blob_size < sizeof(struct cam_isp_bw_config)) {
		CAM_ERR(CAM_ISP, "Invalid blob size %u", blob_size);
		return -EINVAL;
		}

		bw_config = (struct cam_isp_bw_config *)blob_data;

		if (bw_config->num_rdi > CAM_IFE_RDI_NUM_MAX) {
		CAM_ERR(CAM_ISP, "Invalid num_rdi %u in bw config",
		bw_config->num_rdi);
		return -EINVAL;
		}

		if (blob_size < (sizeof(uint32_t) * 2 + (bw_config->num_rdi + 2)
		* sizeof(struct cam_isp_bw_vote))) {
		CAM_ERR(CAM_ISP, "Invalid blob size %u expected %lu",
		blob_size, (unsigned long)(sizeof(uint32_t)
		* 2 + (bw_config->num_rdi + 2)
		* sizeof(struct cam_isp_bw_vote)));
		return -EINVAL;
		}

		if (!prepare \|\| !prepare->priv \|\|
		(bw_config->usage_type >= CAM_IFE_HW_NUM_MAX)) {
		CAM_ERR(CAM_ISP, "Invalid inputs");