summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAmey Asgaonkar <aasgaonkar@nvidia.com>2016-04-28 18:01:42 -0700
committerWinnie Hsu <whsu@nvidia.com>2017-05-16 12:38:15 -0700
commit47f46d91bdd0ec42cf688dda09dcd187afdadffd (patch)
tree4838677ed6efc4532dd2ee0a75fc7bfe9c3916ca
parent36d071c93e79a3b340aa76c83079cdf441b5d381 (diff)
camera: tegra: Fix security vulnerability
Check a few input params to make sure there is no potential for a heap overflow in the driver. (Back ported from Nexus N9 project) Bug 1757475 (nvidia) Bug 1832830 (nvidia) Bug 28193342 (google) Change-Id: I979fa38c5f453cfad7070f0340ec04adde5bac13 Signed-off-by: Amey Asgaonkar <aasgaonkar@nvidia.com> Reviewed-on: http://git-master/r/1271369 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Frank Chen <frankc@nvidia.com> Tested-by: Frank Chen <frankc@nvidia.com> Reviewed-by: Jihoon Bang <jbang@nvidia.com> Reviewed-by: Winnie Hsu <whsu@nvidia.com>
-rw-r--r--drivers/media/platform/tegra/camera.c13
-rw-r--r--include/media/camera.h3
2 files changed, 15 insertions, 1 deletions
diff --git a/drivers/media/platform/tegra/camera.c b/drivers/media/platform/tegra/camera.c
index a8bba03708f1..be541b921ec5 100644
--- a/drivers/media/platform/tegra/camera.c
+++ b/drivers/media/platform/tegra/camera.c
@@ -686,9 +686,20 @@ static int camera_layout_get(struct camera_info *cam, unsigned long arg)
if (err)
return err;
+ if (param.variant > MAX_PARAM_VARIANT) {
+ dev_err(cam->dev, "%s param variant is too large: %u\n",
+ __func__, param.variant);
+ return -EINVAL;
+ }
+ if (param.sizeofvalue > MAX_PARAM_SIZE_OF_VALUE) {
+ dev_err(cam->dev, "%s size of param value is too large: %u\n",
+ __func__, param.sizeofvalue);
+ return -EINVAL;
+ }
+
len = (int)cam_desc.size_layout - param.variant;
if (len <= 0) {
- dev_err(cam->dev, "%s invalid offset %d\n",
+ dev_err(cam->dev, "%s invalid offset %u\n",
__func__, param.variant);
err = -EINVAL;
goto getlayout_end;
diff --git a/include/media/camera.h b/include/media/camera.h
index 7528b9acede8..22f097ee3db2 100644
--- a/include/media/camera.h
+++ b/include/media/camera.h
@@ -117,6 +117,9 @@
#define CAMERA_DT_ARRAY_U16 22
#define CAMERA_DT_ARRAY_U32 23
+#define MAX_PARAM_SIZE_OF_VALUE 1024
+#define MAX_PARAM_VARIANT 4096
+
enum {
CAMERA_SEQ_EXEC,
CAMERA_SEQ_REGISTER_EXEC,