msm: camera: common: Add conditions to catch invalid packet data (e6d03e41) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/cam_fd/fd_hw_mgr/cam_fd_hw_mgr.c

+4 −1

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
		* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
		*/

		#include <linux/module.h>
		@@ -53,7 +54,9 @@ static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet,
		}

		/* All buffers must come through io config, do not support patching */
		if (packet->num_patches \|\| !packet->num_io_configs) {
		if (packet->num_patches \|\|
		!packet->num_io_configs \|\|
		!packet->num_cmd_buf) {
		CAM_ERR(CAM_FD, "wrong number of cmd/patch info: %u %u",
		packet->num_cmd_buf, packet->num_patches);
		return -EINVAL;

+4 −2

Original line number	Diff line number	Diff line
		@@ -4215,13 +4215,15 @@ static int cam_icp_mgr_pkt_validation(struct cam_packet *packet)
		return -EINVAL;
		}

		if (packet->num_io_configs > IPE_IO_IMAGES_MAX) {
		if (!packet->num_io_configs \|\|
		packet->num_io_configs > IPE_IO_IMAGES_MAX) {
		CAM_ERR(CAM_ICP, "Invalid number of io configs: %d %d",
		IPE_IO_IMAGES_MAX, packet->num_io_configs);
		return -EINVAL;
		}

		if (packet->num_cmd_buf > CAM_ICP_CTX_MAX_CMD_BUFFERS) {
		if (!packet->num_cmd_buf \|\|
		packet->num_cmd_buf > CAM_ICP_CTX_MAX_CMD_BUFFERS) {
		CAM_ERR(CAM_ICP, "Invalid number of cmd buffers: %d %d",
		CAM_ICP_CTX_MAX_CMD_BUFFERS, packet->num_cmd_buf);
		return -EINVAL;

+4 −2

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
		* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
		*/

		#include <linux/uaccess.h>
		@@ -727,8 +728,9 @@ static int cam_jpeg_mgr_prepare_hw_update(void *hw_mgr_priv,
		return rc;
		}

		if ((packet->num_cmd_buf > 5) \|\| !packet->num_patches \|\|
		!packet->num_io_configs \|\|
		if (!packet->num_cmd_buf \|\|
		(packet->num_cmd_buf > 5) \|\|
		!packet->num_patches \|\| !packet->num_io_configs \|\|
		(packet->num_io_configs > CAM_JPEG_IMAGE_MAX)) {
		CAM_ERR(CAM_JPEG,
		"wrong number of cmd/patch/io_configs info: %u %u %u",

+6 −0

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
		* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
		*/

		#include <linux/module.h>
		@@ -112,6 +113,11 @@ static int cam_lrme_mgr_util_packet_validate(struct cam_packet *packet,
		return -EINVAL;
		}

		if (!packet->num_cmd_buf) {
		CAM_ERR(CAM_LRME, "no cmd bufs");
		return -EINVAL;
		}

		cmd_desc = (struct cam_cmd_buf_desc )((uint8_t )&packet->payload +
		packet->cmd_buf_offset);

+16 −3

Original line number	Diff line number	Diff line
		@@ -261,9 +261,22 @@ int32_t cam_cmd_buf_parser(struct csiphy_device *csiphy_dev,
		return rc;
		}

		if (csl_packet->num_cmd_buf)
		cmd_desc = (struct cam_cmd_buf_desc *)
		((uint32_t *)&csl_packet->payload +
		csl_packet->cmd_buf_offset / 4);
		else {
		CAM_ERR(CAM_CSIPHY, "num_cmd_buffers = %d",
		csl_packet->num_cmd_buf);
		rc = -EINVAL;
		return rc;
		}

		rc = cam_packet_util_validate_cmd_desc(cmd_desc);
		if (rc) {
		CAM_ERR(CAM_CSIPHY, "Invalid cmd desc ret: %d", rc);
		return rc;
		}

		rc = cam_mem_get_cpu_buf(cmd_desc->mem_handle,
		&generic_ptr, &len);