camera: tegra: Fix security vulnerability issue

We need to validate power on/off function size passed
in from user mode in order to avoid integer overflow
or out of memory failures.

Bug 1745100

Change-Id: Idddd848f7dc1e864559ad219f9204325128484e5
Signed-off-by: Frank Chen <frankc@nvidia.com>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1114354
(cherry picked from commit 8b3afcc132882f3102083f9a24de7f55476ca59b)
Reviewed-on: http://git-master/r/1150944
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

1 files changed, 13 insertions, 1 deletions

diff --git a/drivers/media/platform/tegra/cam_dev/virtual.c b/drivers/media/platform/tegra/cam_dev/virtual.c
index e151068fa377..5484d32205aa 100644
--- a/drivers/media/platform/tegra/cam_dev/virtual.c
+++ b/drivers/media/platform/tegra/cam_dev/virtual.c
@@ -1,7 +1,7 @@
 /*
  * virtual.c - Virtual kernel driver
  *
- * Copyright (c) 2013-2014, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2013-2016, NVIDIA CORPORATION. All rights reserved.
 
  * This program is free software; you can redistribute it and/or modify it
  * under the terms and conditions of the GNU General Public License,
@@ -354,6 +354,18 @@ static int virtual_device_sanity_check(
 	}
 	dev_dbg(dev, "regulator name size: %d\n", *len);
 
+	if (dev_info->pwr_on_size > VIRTUAL_DEV_MAX_POWER_SIZE) {
+		dev_err(dev, "%s power on function size too big %d!\n",
+		__func__, dev_info->pwr_on_size);
+		return -ENODEV;
+	}
+
+	if (dev_info->pwr_off_size > VIRTUAL_DEV_MAX_POWER_SIZE) {
+		dev_err(dev, "%s power off function size too big %d!\n",
+		__func__, dev_info->pwr_off_size);
+		return -ENODEV;
+	}
+
 	return 0;
 }