diff options
| author | Senthil Kumar Rajagopal <skrajago@codeaurora.org> | 2017-04-10 15:11:14 +0530 |
|---|---|---|
| committer | Senthil Kumar Rajagopal <skrajago@codeaurora.org> | 2017-04-18 15:16:51 +0530 |
| commit | fd70b655d901e626403f132b65fc03d993f0a09b (patch) | |
| tree | 3d6ae1c18e38820d98678907ebd6ff24bca70982 | |
| parent | 7f0d77b390e15aa9ea4b517aec21a0e88e02f5a0 (diff) | |
msm: camera: isp: add bound check to handle array out of access
The pointer req_frm comes from userspace,
req_frm->stream_handle is passed as an argument to
the function msm_isp_get_stream_common_data,
stream_idx can overflow common_data->streams[] and
the code ends up copying an out of bound
kernel address into stream_info. Adding bound check to
handle the same.
CRs-fixed: 2008683
Change-Id: Ib4a059bfd573cdc4e18ce630b4091576ff8edc7e
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 6 | ||||
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h | 5 |
2 files changed, 11 insertions, 0 deletions
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c index dce474e40470..8ab2e85f9f41 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c @@ -3909,6 +3909,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg) &update_cmd->req_frm_ver2; stream_info = msm_isp_get_stream_common_data(vfe_dev, HANDLE_TO_IDX(req_frm->stream_handle)); + if (stream_info == NULL) { + pr_err_ratelimited("%s: stream_info is NULL\n", + __func__); + rc = -EINVAL; + break; + } rc = msm_isp_request_frame(vfe_dev, stream_info, req_frm->user_stream_id, req_frm->frame_id, diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h index 65009cb22286..a8d4cfb43927 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h @@ -141,6 +141,11 @@ static inline struct msm_vfe_axi_stream *msm_isp_get_stream_common_data( struct msm_vfe_common_dev_data *common_data = vfe_dev->common_data; struct msm_vfe_axi_stream *stream_info; + if (stream_idx >= VFE_AXI_SRC_MAX) { + pr_err("invalid stream_idx %d\n", stream_idx); + return NULL; + } + if (vfe_dev->is_split && stream_idx < RDI_INTF_0) stream_info = &common_data->streams[stream_idx]; else |