Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ceb6fed5 authored by Rajesh Bondugula's avatar Rajesh Bondugula Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: sensor: Validate eeprom_name string length 



Validate eeprom_name string length before copying into
the userspace buffer.
If more data than required is copied, userspace has the access to
some of kernel data which is not intended.

This change will fix the issue.

CRs-Fixed: 1090007
Signed-off-by: default avatarRajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
parent 0cb456f4

drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c

+18 −4
Original line number Diff line number Diff line
@@ -617,6 +617,7 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl, 
	struct msm_eeprom_cfg_data *cdata =

		(struct msm_eeprom_cfg_data *)argp;

	int rc = 0;

	size_t length = 0;



	CDBG("%s E\n", __func__);

	switch (cdata->cfgtype) {
@@ -629,9 +630,15 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl, 
		}

		CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);

		cdata->is_supported = e_ctrl->is_supported;

		length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;

		if (length > MAX_EEPROM_NAME) {

			pr_err("%s:%d invalid eeprom_name length %d\n",

				__func__, __LINE__, (int)length);

			rc = -EINVAL;

			break;

		}

		memcpy(cdata->cfg.eeprom_name,

			e_ctrl->eboard_info->eeprom_name,

			sizeof(cdata->cfg.eeprom_name));

			e_ctrl->eboard_info->eeprom_name, length);

		break;

	case CFG_EEPROM_GET_CAL_DATA:

		CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);
@@ -1479,6 +1486,7 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl, 
	struct msm_eeprom_cfg_data32 *cdata =

		(struct msm_eeprom_cfg_data32 *)argp;

	int rc = 0;

	size_t length = 0;



	CDBG("%s E\n", __func__);

	switch (cdata->cfgtype) {
@@ -1491,9 +1499,15 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl, 
		}

		CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);

		cdata->is_supported = e_ctrl->is_supported;

		length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;

		if (length > MAX_EEPROM_NAME) {

			pr_err("%s:%d invalid eeprom_name length %d\n",

				__func__, __LINE__, (int)length);

			rc = -EINVAL;

			break;

		}

		memcpy(cdata->cfg.eeprom_name,

			e_ctrl->eboard_info->eeprom_name,

			sizeof(cdata->cfg.eeprom_name));

			e_ctrl->eboard_info->eeprom_name, length);

		break;

	case CFG_EEPROM_GET_CAL_DATA:

		CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);