Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 02434fbd authored by Rajesh Bondugula's avatar Rajesh Bondugula Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: eeprom: Validate the power setting size 



Validate the power setting size before copying.
If userspace sends a value which is greater than
MAX_POWER_CONFIG, then the driver accesses unintended memory.
This change will fix the issue.

Crs-Fixed: 1089433
Signed-off-by: default avatarRajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: Iaaa6f5b3c1c2ac5b5b38b3ac407d6ae394bba780
parent e1420870

drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c

+10 −14
Original line number Diff line number Diff line
@@ -1402,6 +1402,16 @@ static int eeprom_init_config32(struct msm_eeprom_ctrl_t *e_ctrl, 


	power_info = &(e_ctrl->eboard_info->power_info);



	if ((power_setting_array32->size > MAX_POWER_CONFIG) ||

		(power_setting_array32->size_down > MAX_POWER_CONFIG) ||

		(!power_setting_array32->size) ||

		(!power_setting_array32->size_down)) {

		pr_err("%s:%d invalid power setting size=%d size_down=%d\n",

			__func__, __LINE__, power_setting_array32->size,

			power_setting_array32->size_down);

		rc = -EINVAL;

		goto free_mem;

	}

	msm_eeprom_copy_power_settings_compat(

		power_setting_array,

		power_setting_array32);
@@ -1416,20 +1426,6 @@ static int eeprom_init_config32(struct msm_eeprom_ctrl_t *e_ctrl, 
	power_info->power_down_setting_size =

		power_setting_array->size_down;



	if ((power_info->power_setting_size >

		MAX_POWER_CONFIG) ||

		(power_info->power_down_setting_size >

		MAX_POWER_CONFIG) ||

		(!power_info->power_down_setting_size) ||

		(!power_info->power_setting_size)) {

		rc = -EINVAL;

		pr_err("%s:%d Invalid power setting size :%d, %d\n",

			__func__, __LINE__,

			power_info->power_setting_size,

			power_info->power_down_setting_size);

		goto free_mem;

	}



	if (e_ctrl->i2c_client.cci_client) {

		e_ctrl->i2c_client.cci_client->i2c_freq_mode =

			cdata32->cfg.eeprom_info.i2c_freq_mode;