msm: camera: Validate packet params against cpu buffer length (95cec7ab) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/media/platform/msm/camera/cam_cdm/cam_cdm_virtual_core.c

+9 −1

Original line number	Diff line number	Diff line
		/* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -118,6 +118,14 @@ int cam_virtual_cdm_submit_bl(struct cam_hw_info *cdm_hw,

		if ((!rc) && (vaddr_ptr) && (len) &&
		(len >= cdm_cmd->cmd[i].offset)) {


		if ((len - cdm_cmd->cmd[i].offset) <=
		cdm_cmd->cmd[i].len) {
		CAM_ERR(CAM_CDM, "Not enough buffer");
		rc = -EINVAL;
		break;
		}
		CAM_DBG(CAM_CDM,
		"hdl=%x vaddr=%pK offset=%d cmdlen=%d:%zu",
		cdm_cmd->cmd[i].bl_addr.mem_handle,

drivers/media/platform/msm/camera/cam_core/cam_context_utils.c

+11 −1

Original line number	Diff line number	Diff line
		/* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -275,6 +275,7 @@ int32_t cam_context_prepare_dev_to_hw(struct cam_context *ctx,
		uintptr_t packet_addr;
		struct cam_packet *packet;
		size_t len = 0;
		size_t remain_len = 0;
		int32_t i = 0, j = 0;

		if (!ctx \|\| !cmd) {
		@@ -323,12 +324,21 @@ int32_t cam_context_prepare_dev_to_hw(struct cam_context *ctx,
		goto free_req;
		}

		remain_len = len;
		if ((len < sizeof(struct cam_packet)) \|\|
		((size_t)cmd->offset >= len - sizeof(struct cam_packet))) {
		CAM_ERR(CAM_CTXT, "invalid buff length: %zu or offset", len);
		return -EINVAL;
		}

		remain_len -= (size_t)cmd->offset;
		packet = (struct cam_packet ) ((uint8_t )packet_addr +
		(uint32_t)cmd->offset);

		/* preprocess the configuration */
		memset(&cfg, 0, sizeof(cfg));
		cfg.packet = packet;
		cfg.remain_len = remain_len;
		cfg.ctxt_to_hw_map = ctx->ctxt_to_hw_map;
		cfg.max_hw_update_entries = CAM_CTX_CFG_MAX;
		cfg.num_hw_update_entries = req->num_hw_update_entries;

drivers/media/platform/msm/camera/cam_core/cam_hw_mgr_intf.h

+3 −1

Original line number	Diff line number	Diff line
		/* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -152,6 +152,7 @@ struct cam_hw_mgr_dump_pf_data {
		* struct cam_hw_prepare_update_args - Payload for prepare command
		*
		* @packet: CSL packet from user mode driver
		* @remain_len Remaining length of CPU buffer after config offset
		* @ctxt_to_hw_map: HW context from the acquire
		* @max_hw_update_entries: Maximum hardware update entries supported
		* @hw_update_entries: Actual hardware update configuration (returned)
		@@ -168,6 +169,7 @@ struct cam_hw_mgr_dump_pf_data {
		*/
		struct cam_hw_prepare_update_args {
		struct cam_packet *packet;
		size_t remain_len;
		void *ctxt_to_hw_map;
		uint32_t max_hw_update_entries;
		struct cam_hw_update_entry *hw_update_entries;

drivers/media/platform/msm/camera/cam_fd/fd_hw_mgr/cam_fd_hw_mgr.c

+13 −5

Original line number	Diff line number	Diff line
		/* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -30,7 +30,8 @@

		static struct cam_fd_hw_mgr g_fd_hw_mgr;

		static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet)
		static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet,
		size_t remain_len)
		{
		struct cam_cmd_buf_desc *cmd_desc = NULL;
		int i, rc;
		@@ -50,7 +51,7 @@ static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet)
		packet->patch_offset, packet->num_patches,
		packet->kmd_cmd_buf_offset, packet->kmd_cmd_buf_index);

		if (cam_packet_util_validate_packet(packet)) {
		if (cam_packet_util_validate_packet(packet, remain_len)) {
		CAM_ERR(CAM_FD, "invalid packet:%d %d %d %d %d",
		packet->kmd_cmd_buf_index,
		packet->num_cmd_buf, packet->cmd_buf_offset,
		@@ -608,7 +609,13 @@ static int cam_fd_mgr_util_prepare_io_buf_info(int32_t iommu_hdl,
		rc);
		return rc;
		}

		if (io_cfg[i].offsets[plane] >= size) {
		CAM_ERR(CAM_FD,
		"Invalid cpu buf %d %d %d",
		io_cfg[i].direction,
		io_cfg[i].resource_type, plane);
		return -EINVAL;
		}
		cpu_addr[plane] += io_cfg[i].offsets[plane];
		}

		@@ -1559,7 +1566,8 @@ static int cam_fd_mgr_hw_prepare_update(void *hw_mgr_priv,
		goto error;
		}

		rc = cam_fd_mgr_util_packet_validate(prepare->packet);
		rc = cam_fd_mgr_util_packet_validate(prepare->packet,
		prepare->remain_len);
		if (rc) {
		CAM_ERR(CAM_FD, "Error in packet validation %d", rc);
		goto error;

drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c

+4 −1

Original line number	Diff line number	Diff line
		/* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -3693,6 +3693,9 @@ static int cam_icp_mgr_prepare_hw_update(void *hw_mgr_priv,

		packet = prepare_args->packet;

		if (cam_packet_util_validate_packet(packet, prepare_args->remain_len))
		return -EINVAL;

		rc = cam_icp_mgr_pkt_validation(packet);
		if (rc) {
		mutex_unlock(&ctx_data->ctx_mutex);