evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: camera: sensor: Validate eeprom_name string length

Browse source 
Validate eeprom_name string length before copying into
the userspace buffer.
If more data than required is copied, userspace has the access to
some of kernel data which is not intended.

This change will fix the issue.

CRs-Fixed: 1090007
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
This commit is contained in:
Rajesh Bondugula 2016-11-15 13:52:49 -08:00 committed by Gerrit - the friendly Code Review server
parent 9febdfdde0
commit 42e0f618e9
2 changed files with 19 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
View file

@ -619,6 +619,7 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
struct msm_eeprom_cfg_data *cdata =
(struct msm_eeprom_cfg_data *)argp;
int rc = 0;
size_t length = 0;
CDBG("%s E\n", __func__);
switch (cdata->cfgtype) {
@ -631,9 +632,15 @@ static int msm_eeprom_config(struct msm_eeprom_ctrl_t *e_ctrl,
}
CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
cdata->is_supported = e_ctrl->is_supported;
length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
if (length > MAX_EEPROM_NAME) {
pr_err("%s:%d invalid eeprom_name length %d\n",
__func__, __LINE__, (int)length);
rc = -EINVAL;
break;
}
memcpy(cdata->cfg.eeprom_name,
e_ctrl->eboard_info->eeprom_name,
sizeof(cdata->cfg.eeprom_name));
e_ctrl->eboard_info->eeprom_name, length);
break;
case CFG_EEPROM_GET_CAL_DATA:
CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);
@ -1477,6 +1484,7 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl,
struct msm_eeprom_cfg_data32 *cdata =
(struct msm_eeprom_cfg_data32 *)argp;
int rc = 0;
size_t length = 0;
CDBG("%s E\n", __func__);
switch (cdata->cfgtype) {
@ -1489,9 +1497,15 @@ static int msm_eeprom_config32(struct msm_eeprom_ctrl_t *e_ctrl,
}
CDBG("%s E CFG_EEPROM_GET_INFO\n", __func__);
cdata->is_supported = e_ctrl->is_supported;
length = strlen(e_ctrl->eboard_info->eeprom_name) + 1;
if (length > MAX_EEPROM_NAME) {
pr_err("%s:%d invalid eeprom_name length %d\n",
__func__, __LINE__, (int)length);
rc = -EINVAL;
break;
}
memcpy(cdata->cfg.eeprom_name,
e_ctrl->eboard_info->eeprom_name,
sizeof(cdata->cfg.eeprom_name));
e_ctrl->eboard_info->eeprom_name, length);
break;
case CFG_EEPROM_GET_CAL_DATA:
CDBG("%s E CFG_EEPROM_GET_CAL_DATA\n", __func__);

2
include/uapi/media/msm_cam_sensor.h
View file

@ -305,7 +305,7 @@ struct msm_eeprom_cfg_data {
enum eeprom_cfg_type_t cfgtype;
uint8_t is_supported;
union {
char eeprom_name[MAX_SENSOR_NAME];
char eeprom_name[MAX_EEPROM_NAME];
struct eeprom_get_t get_data;
struct eeprom_read_t read_data;
struct eeprom_write_t write_data;