msm: camera: common: Add conditions to catch invalid packet data (5685ecf2) · Commits · e / devices / android_kernel_fairphone_FP5

drivers/cam_fd/fd_hw_mgr/cam_fd_hw_mgr.c

+2 −1

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
		* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
		*/

		#include <linux/module.h>
		@@ -54,7 +55,7 @@ static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet,
		}

		/* All buffers must come through io config, do not support patching */
		if (packet->num_patches \|\| !packet->num_io_configs) {
		if (packet->num_patches \|\| !packet->num_io_configs \|\| !packet->num_cmd_buf) {
		CAM_ERR(CAM_FD, "wrong number of cmd/patch info: %u %u",
		packet->num_cmd_buf, packet->num_patches);
		return -EINVAL;

+2 −2

Original line number	Diff line number	Diff line
		@@ -4189,13 +4189,13 @@ static int cam_icp_mgr_pkt_validation(struct cam_packet *packet)
		return -EINVAL;
		}

		if (packet->num_io_configs > IPE_IO_IMAGES_MAX) {
		if (!packet->num_io_configs \|\| packet->num_io_configs > IPE_IO_IMAGES_MAX) {
		CAM_ERR(CAM_ICP, "Invalid number of io configs: %d %d",
		IPE_IO_IMAGES_MAX, packet->num_io_configs);
		return -EINVAL;
		}

		if (packet->num_cmd_buf > CAM_ICP_CTX_MAX_CMD_BUFFERS) {
		if (!packet->num_cmd_buf \|\| packet->num_cmd_buf > CAM_ICP_CTX_MAX_CMD_BUFFERS) {
		CAM_ERR(CAM_ICP, "Invalid number of cmd buffers: %d %d",
		CAM_ICP_CTX_MAX_CMD_BUFFERS, packet->num_cmd_buf);
		return -EINVAL;

+4 −3

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
		* Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
		* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
		*/

		#include <linux/uaccess.h>
		@@ -769,8 +769,9 @@ static int cam_jpeg_mgr_prepare_hw_update(void *hw_mgr_priv,
		return rc;
		}

		if ((packet->num_cmd_buf > 5) \|\| !packet->num_patches \|\|
		!packet->num_io_configs \|\|
		if (!packet->num_cmd_buf \|\|
		(packet->num_cmd_buf > 5) \|\|
		!packet->num_patches \|\| !packet->num_io_configs \|\|
		(packet->num_io_configs > CAM_JPEG_IMAGE_MAX)) {
		CAM_ERR(CAM_JPEG,
		"wrong number of cmd/patch/io_configs info: %u %u %u",

+6 −0

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
		* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
		*/

		#include <linux/module.h>
		@@ -113,6 +114,11 @@ static int cam_lrme_mgr_util_packet_validate(struct cam_packet *packet,
		return -EINVAL;
		}

		if (!packet->num_cmd_buf) {
		CAM_ERR(CAM_LRME, "no cmd bufs");
		return -EINVAL;
		}

		cmd_desc = (struct cam_cmd_buf_desc )((uint8_t )&packet->payload +
		packet->cmd_buf_offset);

+4 −2

Original line number	Diff line number	Diff line
		@@ -2379,13 +2379,15 @@ static int cam_ope_mgr_pkt_validation(struct cam_packet *packet)
		return -EINVAL;
		}

		if (packet->num_io_configs > OPE_MAX_IO_BUFS) {
		if (!packet->num_io_configs \|\|
		packet->num_io_configs > OPE_MAX_IO_BUFS) {
		CAM_ERR(CAM_OPE, "Invalid number of io configs: %d %d",
		OPE_MAX_IO_BUFS, packet->num_io_configs);
		return -EINVAL;
		}

		if (packet->num_cmd_buf > OPE_PACKET_MAX_CMD_BUFS) {
		if (!packet->num_cmd_buf \|\|
		packet->num_cmd_buf > OPE_PACKET_MAX_CMD_BUFS) {
		CAM_ERR(CAM_OPE, "Invalid number of cmd buffers: %d %d",
		OPE_PACKET_MAX_CMD_BUFS, packet->num_cmd_buf);
		return -EINVAL;