evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: camera: cpp: Add validation for v4l2 ioctl arguments

Browse source 
In CPP v4l2 ioctl command is made, if _IOC_DIR(cmd) is
_IOC_NONE, then the user-supplied argument arg is not checked
and an information disclosure is possible

CRs-Fixed: 1042068
Change-Id: Iddb291b10cdcb5c42ab8497e06c2ce47885cd5ab
Signed-off-by: Sunid Wilson <sunidw@codeaurora.org>
This commit is contained in:
Sunid Wilson 2016-08-23 14:41:47 -07:00 committed by Gerrit - the friendly Code Review server
parent 057bdafd97
commit 5cb50e051b
1 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
View file

@ -2617,14 +2617,14 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
break; break;
default: { default: {
if (ioctl_ptr == NULL) { if (ioctl_ptr == NULL) {
pr_err("Wrong ioctl_ptr %pK\n", ioctl_ptr); pr_err("Wrong ioctl_ptr for cmd %u\n", cmd);
return -EINVAL; return -EINVAL;
} }
*ioctl_ptr = arg; *ioctl_ptr = arg;
if ((*ioctl_ptr == NULL) || if ((*ioctl_ptr == NULL) ||
((*ioctl_ptr)->ioctl_ptr == NULL)) { (*ioctl_ptr)->ioctl_ptr == NULL) {
pr_err("Wrong arg %pK\n", arg); pr_err("Error invalid ioctl argument cmd %u", cmd);
return -EINVAL; return -EINVAL;
} }
break; break;
@ -2649,6 +2649,12 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
pr_err("cpp_dev is null\n"); pr_err("cpp_dev is null\n");
return -EINVAL; return -EINVAL;
} }
if (_IOC_DIR(cmd) == _IOC_NONE) {
pr_err("Invalid ioctl/subdev cmd %u", cmd);
return -EINVAL;
}
rc = msm_cpp_validate_input(cmd, arg, &ioctl_ptr); rc = msm_cpp_validate_input(cmd, arg, &ioctl_ptr);
if (rc != 0) { if (rc != 0) {
pr_err("input validation failed\n"); pr_err("input validation failed\n");