From 5cb50e051bb0d99bf1a784188f7f22838a4d3e26 Mon Sep 17 00:00:00 2001
From: Sunid Wilson <sunidw@codeaurora.org>
Date: Tue, 23 Aug 2016 14:41:47 -0700
Subject: [PATCH] msm: camera: cpp: Add validation for v4l2 ioctl arguments

In CPP v4l2 ioctl command is made, if _IOC_DIR(cmd) is
_IOC_NONE, then the user-supplied argument arg is not checked
and an information disclosure is possible

CRs-Fixed: 1042068
Change-Id: Iddb291b10cdcb5c42ab8497e06c2ce47885cd5ab
Signed-off-by: Sunid Wilson <sunidw@codeaurora.org>
---
 .../media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
index 3ac4c3af3208..7b14c6d6bddd 100644
--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
@@ -2617,14 +2617,14 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
 		break;
 	default: {
 		if (ioctl_ptr == NULL) {
-			pr_err("Wrong ioctl_ptr %pK\n", ioctl_ptr);
+			pr_err("Wrong ioctl_ptr for cmd %u\n", cmd);
 			return -EINVAL;
 		}
 
 		*ioctl_ptr = arg;
 		if ((*ioctl_ptr == NULL) ||
-			((*ioctl_ptr)->ioctl_ptr == NULL)) {
-			pr_err("Wrong arg %pK\n", arg);
+			(*ioctl_ptr)->ioctl_ptr == NULL) {
+			pr_err("Error invalid ioctl argument cmd %u", cmd);
 			return -EINVAL;
 		}
 		break;
@@ -2649,6 +2649,12 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
 		pr_err("cpp_dev is null\n");
 		return -EINVAL;
 	}
+
+	if (_IOC_DIR(cmd) == _IOC_NONE) {
+		pr_err("Invalid ioctl/subdev cmd %u", cmd);
+		return -EINVAL;
+	}
+
 	rc = msm_cpp_validate_input(cmd, arg, &ioctl_ptr);
 	if (rc != 0) {
 		pr_err("input validation failed\n");