Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 53cc2269 authored by Deepak Kaushal's avatar Deepak Kaushal Committed by Vasko Kalanoski
Browse files

msm: camera: Validate size param before allocating memory 



When ever i2c write is initiated check size param for NULL
and in case of sequence write check for maximun allowed
size per i2c sequence write.

Change-Id: I111282537663d6b263a3686927c85b8f71560dae
Changa-Id: I590c7b3d154fc7626e54d5d52f7fea7f7bc2079a
Signed-off-by: default avatarDeepak Kaushal <dkaushal@codeaurora.org>
Signed-off-by: default avatarViswanadha Raju Thotakura <viswanad@codeaurora.org>
parent d6748071

drivers/media/platform/msm/camera_v2/sensor/gc0310.c

+29 −1
Original line number Diff line number Diff line 
/* Copyright (c) 2014, The Linux Foundation. All rights reserved.

/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -709,6 +709,13 @@ int32_t gc0310_sensor_config(struct msm_sensor_ctrl_t *s_ctrl, 
			break;

		}



		if (!conf_array.size ||

			conf_array.size > I2C_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

		}



		reg_setting = kzalloc(conf_array.size *

			(sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);

		if (!reg_setting) {
@@ -743,6 +750,13 @@ int32_t gc0310_sensor_config(struct msm_sensor_ctrl_t *s_ctrl, 
			break;

		}



		if (!conf_array.size ||

			conf_array.size > I2C_SEQ_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

		}



		reg_setting = kzalloc(conf_array.size *

			(sizeof(struct msm_camera_i2c_seq_reg_array)),

			GFP_KERNEL);
@@ -1029,6 +1043,13 @@ int32_t gc0310_sensor_config32(struct msm_sensor_ctrl_t *s_ctrl, 
			break;

		}



		if (!conf_array.size ||

			conf_array.size > I2C_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

		}



		reg_setting = kzalloc(conf_array.size *

			(sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);

		if (!reg_setting) {
@@ -1063,6 +1084,13 @@ int32_t gc0310_sensor_config32(struct msm_sensor_ctrl_t *s_ctrl, 
			break;

		}



		if (!conf_array.size ||

			conf_array.size > I2C_SEQ_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

		}



		reg_setting = kzalloc(conf_array.size *

			(sizeof(struct msm_camera_i2c_seq_reg_array)),

			GFP_KERNEL);

drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c

+13 −5
Original line number Diff line number Diff line
@@ -747,7 +747,8 @@ static int msm_sensor_config32(struct msm_sensor_ctrl_t *s_ctrl, 
		conf_array.size = conf_array32.size;

		conf_array.reg_setting = compat_ptr(conf_array32.reg_setting);



		if (!conf_array.size) {

		if (!conf_array.size ||

			conf_array.size > I2C_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;
@@ -853,11 +854,13 @@ static int msm_sensor_config32(struct msm_sensor_ctrl_t *s_ctrl, 
		conf_array.size = conf_array32.size;

		conf_array.reg_setting = compat_ptr(conf_array32.reg_setting);



		if (!conf_array.size) {

		if (!conf_array.size ||

			conf_array.size > I2C_SEQ_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

		}



		reg_setting = kzalloc(conf_array.size *

			(sizeof(struct msm_camera_i2c_seq_reg_array)),

			GFP_KERNEL);
@@ -1066,7 +1069,8 @@ int msm_sensor_config(struct msm_sensor_ctrl_t *s_ctrl, void __user *argp) 
			break;

		}



		if (!conf_array.size) {

		if (!conf_array.size ||

			conf_array.size > I2C_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;
@@ -1160,11 +1164,13 @@ int msm_sensor_config(struct msm_sensor_ctrl_t *s_ctrl, void __user *argp) 
			write_config.slave_addr,

			write_config.conf_array.size);



		if (!write_config.conf_array.size) {

		if (!write_config.conf_array.size ||

			write_config.conf_array.size > I2C_SEQ_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

		}



		reg_setting = kzalloc(write_config.conf_array.size *

			(sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);

		if (!reg_setting) {
@@ -1238,11 +1244,13 @@ int msm_sensor_config(struct msm_sensor_ctrl_t *s_ctrl, void __user *argp) 
			break;

		}



		if (!conf_array.size) {

		if (!conf_array.size ||

			conf_array.size > I2C_SEQ_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

		}



		reg_setting = kzalloc(conf_array.size *

			(sizeof(struct msm_camera_i2c_seq_reg_array)),

			GFP_KERNEL);

drivers/media/platform/msm/camera_v2/sensor/mt9m114.c

+2 −4
Original line number Diff line number Diff line
@@ -1268,8 +1268,7 @@ int32_t mt9m114_sensor_config(struct msm_sensor_ctrl_t *s_ctrl, 
		}



		if (!conf_array.size ||

			conf_array.size > I2C_SEQ_REG_DATA_MAX) {



			conf_array.size > I2C_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;
@@ -1511,8 +1510,7 @@ int32_t mt9m114_sensor_config32(struct msm_sensor_ctrl_t *s_ctrl, 
		conf_array.reg_setting = compat_ptr(conf_array32.reg_setting);



		if (!conf_array.size ||

			conf_array.size > I2C_SEQ_REG_DATA_MAX) {



			conf_array.size > I2C_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

drivers/media/platform/msm/camera_v2/sensor/ov5645.c

+16 −0
Original line number Diff line number Diff line
@@ -726,6 +726,14 @@ int32_t ov5645_sensor_config(struct msm_sensor_ctrl_t *s_ctrl, 
			break;

		}



		if (!conf_array.size ||

			conf_array.size > I2C_REG_DATA_MAX) {



			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

		}



		reg_setting = kzalloc(conf_array.size *

			(sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);

		if (!reg_setting) {
@@ -1006,6 +1014,14 @@ int32_t ov5645_sensor_config32(struct msm_sensor_ctrl_t *s_ctrl, 
		conf_array.size = conf_array32.size;

		conf_array.reg_setting = compat_ptr(conf_array32.reg_setting);



		if (!conf_array.size ||

			conf_array.size > I2C_REG_DATA_MAX) {



			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

		}



		reg_setting = kzalloc(conf_array.size *

			(sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);

		if (!reg_setting) {

drivers/media/platform/msm/camera_v2/sensor/ov7695.c

+14 −0
Original line number Diff line number Diff line
@@ -445,6 +445,13 @@ int32_t ov7695_sensor_config(struct msm_sensor_ctrl_t *s_ctrl, 
			break;

		}



		if (!conf_array.size ||

			conf_array.size > I2C_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

		}



		reg_setting = kzalloc(conf_array.size *

			(sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);

		if (!reg_setting) {
@@ -680,6 +687,13 @@ int32_t ov7695_sensor_config32(struct msm_sensor_ctrl_t *s_ctrl, 
		conf_array.size = conf_array32.size;

		conf_array.reg_setting = compat_ptr(conf_array32.reg_setting);



		if (!conf_array.size ||

			conf_array.size > I2C_REG_DATA_MAX) {

			pr_err("%s:%d failed\n", __func__, __LINE__);

			rc = -EFAULT;

			break;

		}



		reg_setting = kzalloc(conf_array.size *

			(sizeof(struct msm_camera_i2c_reg_array)), GFP_KERNEL);

		if (!reg_setting) {