diff options
author | Amey Asgaonkar <aasgaonkar@nvidia.com> | 2016-04-28 18:01:42 -0700 |
---|---|---|
committer | Winnie Hsu <whsu@nvidia.com> | 2017-05-16 12:38:15 -0700 |
commit | 47f46d91bdd0ec42cf688dda09dcd187afdadffd (patch) | |
tree | 4838677ed6efc4532dd2ee0a75fc7bfe9c3916ca | |
parent | 36d071c93e79a3b340aa76c83079cdf441b5d381 (diff) |
camera: tegra: Fix security vulnerability
Check a few input params to make sure there is
no potential for a heap overflow in the driver.
(Back ported from Nexus N9 project)
Bug 1757475 (nvidia)
Bug 1832830 (nvidia)
Bug 28193342 (google)
Change-Id: I979fa38c5f453cfad7070f0340ec04adde5bac13
Signed-off-by: Amey Asgaonkar <aasgaonkar@nvidia.com>
Reviewed-on: http://git-master/r/1271369
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
-rw-r--r-- | drivers/media/platform/tegra/camera.c | 13 | ||||
-rw-r--r-- | include/media/camera.h | 3 |
2 files changed, 15 insertions, 1 deletions
diff --git a/drivers/media/platform/tegra/camera.c b/drivers/media/platform/tegra/camera.c index a8bba03708f1..be541b921ec5 100644 --- a/drivers/media/platform/tegra/camera.c +++ b/drivers/media/platform/tegra/camera.c @@ -686,9 +686,20 @@ static int camera_layout_get(struct camera_info *cam, unsigned long arg) if (err) return err; + if (param.variant > MAX_PARAM_VARIANT) { + dev_err(cam->dev, "%s param variant is too large: %u\n", + __func__, param.variant); + return -EINVAL; + } + if (param.sizeofvalue > MAX_PARAM_SIZE_OF_VALUE) { + dev_err(cam->dev, "%s size of param value is too large: %u\n", + __func__, param.sizeofvalue); + return -EINVAL; + } + len = (int)cam_desc.size_layout - param.variant; if (len <= 0) { - dev_err(cam->dev, "%s invalid offset %d\n", + dev_err(cam->dev, "%s invalid offset %u\n", __func__, param.variant); err = -EINVAL; goto getlayout_end; diff --git a/include/media/camera.h b/include/media/camera.h index 7528b9acede8..22f097ee3db2 100644 --- a/include/media/camera.h +++ b/include/media/camera.h @@ -117,6 +117,9 @@ #define CAMERA_DT_ARRAY_U16 22 #define CAMERA_DT_ARRAY_U32 23 +#define MAX_PARAM_SIZE_OF_VALUE 1024 +#define MAX_PARAM_VARIANT 4096 + enum { CAMERA_SEQ_EXEC, CAMERA_SEQ_REGISTER_EXEC, |