Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

msm: camera: sensor: Validate eeprom_name string length 

Validate eeprom_name string length before copying into
the userspace buffer.
If more data than required is copied, userspace has the access to
some of kernel data which is not intended.

This change will fix this issue.

CRs-Fixed: 1090007
Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
This commit is contained in:
VijayaKumar T M 2016-11-21 11:38:29 +05:30 committed by Gerrit - the friendly Code Review server
parent 5659dd095d
commit 15ebca59d1
2 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
View File

@ -619,6 +619,7 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
struct msm_eeprom_cfg_data *cdata =
(struct msm_eeprom_cfg_data *)argp;
int rc = 0;
size_t length = 0;
CDBG("%s E\n", __func__);
switch (cdata->cfgtype) {
@ -631,6 +632,13 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
}
CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
cdata->is_supported = e_ctrl->is_supported;
length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
if (length > MAX_EEPROM_NAME) {
pr_err("%s:%d invalid eeprom name length %d\n",
__func__, __LINE__, (int)length);
rc = -EINVAL;
break;
}
memcpy(cdata->cfg.eeprom_name,
e_ctrl->eboard_info->eeprom_name,
sizeof(cdata->cfg.eeprom_name));
@ -1456,6 +1464,7 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl,
struct msm_eeprom_cfg_data32 *cdata =
(struct msm_eeprom_cfg_data32 *)argp;
int rc = 0;
size_t length = 0;
CDBG("%s E\n", __func__);
switch (cdata->cfgtype) {
@ -1468,6 +1477,14 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl,
}
CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
cdata->is_supported = e_ctrl->is_supported;
length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
if (length > MAX_EEPROM_NAME) {
pr_err("%s:%d invalid eeprom name length %d\n",
__func__, __LINE__, (int)length);
rc = -EINVAL;
break;
}
memcpy(cdata->cfg.eeprom_name,
e_ctrl->eboard_info->eeprom_name,
sizeof(cdata->cfg.eeprom_name));

8
include/media/msm_cam_sensor.h
View File

@ -294,7 +294,7 @@ struct msm_eeprom_cfg_data {
enum eeprom_cfg_type_t cfgtype;
uint8_t is_supported;
union {
char eeprom_name[MAX_SENSOR_NAME];
char eeprom_name[MAX_EEPROM_NAME];
struct eeprom_get_t get_data;
struct eeprom_read_t read_data;
struct eeprom_write_t write_data;
@ -323,8 +323,8 @@ struct msm_sensor_power_setting_array32 {
};
struct msm_camera_sensor_slave_info32 {
char sensor_name[32];
char eeprom_name[32];
char sensor_name[MAX_SENSOR_NAME];
char eeprom_name[MAX_EEPROM_NAME];
char actuator_name[32];
char ois_name[32];
char flash_name[32];
@ -388,7 +388,7 @@ struct msm_eeprom_cfg_data32 {
enum eeprom_cfg_type_t cfgtype;
uint8_t is_supported;
union {
char eeprom_name[MAX_SENSOR_NAME];
char eeprom_name[MAX_EEPROM_NAME];
struct eeprom_get_t get_data;
struct eeprom_read_t32 read_data;
struct eeprom_write_t32 write_data;