Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

This project is archived. Its data is read-only.

Commit fd70b655 authored Apr 10, 2017 by Senthil Kumar Rajagopal

msm: camera: isp: add bound check to handle array out of access



The pointer req_frm comes from userspace,
req_frm->stream_handle is passed as an argument to
the function msm_isp_get_stream_common_data,
stream_idx can overflow common_data->streams[] and
the code ends up copying an out of bound
kernel address into stream_info. Adding bound check to
handle the same.

CRs-fixed: 2008683
Change-Id: Ib4a059bfd573cdc4e18ce630b4091576ff8edc7e
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>

parent 7f0d77b3

drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -3909,6 +3909,12 @@ int msm_isp_update_axi_stream(struct vfe_device vfe_dev, void arg)
		&update_cmd->req_frm_ver2;
		stream_info = msm_isp_get_stream_common_data(vfe_dev,
		HANDLE_TO_IDX(req_frm->stream_handle));
		if (stream_info == NULL) {
		pr_err_ratelimited("%s: stream_info is NULL\n",
		__func__);
		rc = -EINVAL;
		break;
		}
		rc = msm_isp_request_frame(vfe_dev, stream_info,
		req_frm->user_stream_id,
		req_frm->frame_id,

drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h

+5 −0

Original line number	Diff line number	Diff line
		@@ -141,6 +141,11 @@ static inline struct msm_vfe_axi_stream *msm_isp_get_stream_common_data(
		struct msm_vfe_common_dev_data *common_data = vfe_dev->common_data;
		struct msm_vfe_axi_stream *stream_info;

		if (stream_idx >= VFE_AXI_SRC_MAX) {
		pr_err("invalid stream_idx %d\n", stream_idx);
		return NULL;
		}

		if (vfe_dev->is_split && stream_idx < RDI_INTF_0)
		stream_info = &common_data->streams[stream_idx];
		else