Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5755ad78 authored by Mukund Madhusudan Atre's avatar Mukund Madhusudan Atre
Browse files

msm: camera: Validate packet params against cpu buffer length 



Modifying validate packet in cam utils and its callers to provide cpu
buffer length which is used in validation of number of cmd buffers,
io configs and patches.

Change-Id: Ia180264b787bb8ab91154448809076d7c0c31e29
Signed-off-by: default avatarMukund Madhusudan Atre <matre@codeaurora.org>
parent a9992c89

drivers/media/platform/msm/camera/cam_cdm/cam_cdm_virtual_core.c

+8 −0
Original line number Diff line number Diff line
@@ -118,6 +118,14 @@ int cam_virtual_cdm_submit_bl(struct cam_hw_info *cdm_hw, 


		if ((!rc) && (vaddr_ptr) && (len) &&

			(len >= cdm_cmd->cmd[i].offset)) {





			if ((len - cdm_cmd->cmd[i].offset) <=

				cdm_cmd->cmd[i].len) {

				CAM_ERR(CAM_CDM, "Not enough buffer");

				rc = -EINVAL;

				break;

			}

			CAM_DBG(CAM_CDM,

				"hdl=%x vaddr=%pK offset=%d cmdlen=%d:%zu",

				cdm_cmd->cmd[i].bl_addr.mem_handle,

drivers/media/platform/msm/camera/cam_core/cam_context_utils.c

+17 −0
Original line number Diff line number Diff line
@@ -303,6 +303,12 @@ int32_t cam_context_config_dev_to_hw( 
		return rc;

	}



	if ((len < sizeof(struct cam_packet)) ||

		(cmd->offset >= (len - sizeof(struct cam_packet)))) {

		CAM_ERR(CAM_CTXT, "Not enough buf");

		return -EINVAL;



	}

	packet = (struct cam_packet *) ((uint8_t *)packet_addr +

		(uint32_t)cmd->offset);
@@ -333,6 +339,7 @@ int32_t cam_context_prepare_dev_to_hw(struct cam_context *ctx, 
	uintptr_t packet_addr;

	struct cam_packet *packet;

	size_t len = 0;

	size_t remain_len = 0;

	int32_t i = 0, j = 0;



	if (!ctx || !cmd) {
@@ -378,6 +385,15 @@ int32_t cam_context_prepare_dev_to_hw(struct cam_context *ctx, 
		goto free_req;

	}



	remain_len = len;

	if ((len < sizeof(struct cam_packet)) ||

		((size_t)cmd->offset >= len - sizeof(struct cam_packet))) {

		CAM_ERR(CAM_CTXT, "invalid buff length: %zu or offset", len);

		rc = -EINVAL;

		goto free_cpu_buf;

	}



	remain_len -= (size_t)cmd->offset;

	packet = (struct cam_packet *) ((uint8_t *)packet_addr +

		(uint32_t)cmd->offset);
@@ -395,6 +411,7 @@ int32_t cam_context_prepare_dev_to_hw(struct cam_context *ctx, 
	/* preprocess the configuration */

	memset(&cfg, 0, sizeof(cfg));

	cfg.packet = packet;

	cfg.remain_len = remain_len;

	cfg.ctxt_to_hw_map = ctx->ctxt_to_hw_map;

	cfg.max_hw_update_entries = CAM_CTX_CFG_MAX;

	cfg.num_hw_update_entries = req->num_hw_update_entries;

drivers/media/platform/msm/camera/cam_core/cam_hw_mgr_intf.h

+2 −0
Original line number Diff line number Diff line
@@ -153,6 +153,7 @@ struct cam_hw_mgr_dump_pf_data { 
 * struct cam_hw_prepare_update_args - Payload for prepare command

 *

 * @packet:                CSL packet from user mode driver

 * @remain_len             Remaining length of CPU buffer after config offset

 * @ctxt_to_hw_map:        HW context from the acquire

 * @max_hw_update_entries: Maximum hardware update entries supported

 * @hw_update_entries:     Actual hardware update configuration (returned)
@@ -169,6 +170,7 @@ struct cam_hw_mgr_dump_pf_data { 
 */

struct cam_hw_prepare_update_args {

	struct cam_packet              *packet;

	size_t                          remain_len;

	void                           *ctxt_to_hw_map;

	uint32_t                        max_hw_update_entries;

	struct cam_hw_update_entry     *hw_update_entries;

drivers/media/platform/msm/camera/cam_fd/fd_hw_mgr/cam_fd_hw_mgr.c

+13 −4
Original line number Diff line number Diff line
@@ -30,7 +30,8 @@ 


static struct cam_fd_hw_mgr g_fd_hw_mgr;



static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet)

static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet,

	size_t remain_len)

{

	struct cam_cmd_buf_desc *cmd_desc = NULL;

	int i, rc;
@@ -50,7 +51,7 @@ static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet) 
		packet->patch_offset, packet->num_patches,

		packet->kmd_cmd_buf_offset, packet->kmd_cmd_buf_index);



	if (cam_packet_util_validate_packet(packet)) {

	if (cam_packet_util_validate_packet(packet, remain_len)) {

		CAM_ERR(CAM_FD, "invalid packet:%d %d %d %d %d",

			packet->kmd_cmd_buf_index,

			packet->num_cmd_buf, packet->cmd_buf_offset,
@@ -611,7 +612,14 @@ static int cam_fd_mgr_util_prepare_io_buf_info(int32_t iommu_hdl, 
						rc);

					goto rel_cpu_buf;

				}



				if (io_cfg[i].offsets[plane] >= size) {

					CAM_ERR(CAM_FD,

						"Invalid cpu buf %d %d %d",

						io_cfg[i].direction,

						io_cfg[i].resource_type, plane);

					rc = -EINVAL;

					goto rel_cpu_buf;

				}

				cpu_addr[plane] += io_cfg[i].offsets[plane];

			}
@@ -1592,7 +1600,8 @@ static int cam_fd_mgr_hw_prepare_update(void *hw_mgr_priv, 
		goto error;

	}



	rc = cam_fd_mgr_util_packet_validate(prepare->packet);

	rc = cam_fd_mgr_util_packet_validate(prepare->packet,

		prepare->remain_len);

	if (rc) {

		CAM_ERR(CAM_FD, "Error in packet validation %d", rc);

		goto error;

drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c

+3 −0
Original line number Diff line number Diff line
@@ -3974,6 +3974,9 @@ static int cam_icp_mgr_prepare_hw_update(void *hw_mgr_priv, 


	packet = prepare_args->packet;



	if (cam_packet_util_validate_packet(packet, prepare_args->remain_len))

		return -EINVAL;



	rc = cam_icp_mgr_pkt_validation(packet);

	if (rc) {

		mutex_unlock(&ctx_data->ctx_mutex);