From 47f46d91bdd0ec42cf688dda09dcd187afdadffd Mon Sep 17 00:00:00 2001 From: Amey Asgaonkar Date: Thu, 28 Apr 2016 18:01:42 -0700 Subject: camera: tegra: Fix security vulnerability Check a few input params to make sure there is no potential for a heap overflow in the driver. (Back ported from Nexus N9 project) Bug 1757475 (nvidia) Bug 1832830 (nvidia) Bug 28193342 (google) Change-Id: I979fa38c5f453cfad7070f0340ec04adde5bac13 Signed-off-by: Amey Asgaonkar Reviewed-on: http://git-master/r/1271369 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Frank Chen Tested-by: Frank Chen Reviewed-by: Jihoon Bang Reviewed-by: Winnie Hsu --- drivers/media/platform/tegra/camera.c | 13 ++++++++++++- include/media/camera.h | 3 +++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/tegra/camera.c b/drivers/media/platform/tegra/camera.c index a8bba03708f1..be541b921ec5 100644 --- a/drivers/media/platform/tegra/camera.c +++ b/drivers/media/platform/tegra/camera.c @@ -686,9 +686,20 @@ static int camera_layout_get(struct camera_info *cam, unsigned long arg) if (err) return err; + if (param.variant > MAX_PARAM_VARIANT) { + dev_err(cam->dev, "%s param variant is too large: %u\n", + __func__, param.variant); + return -EINVAL; + } + if (param.sizeofvalue > MAX_PARAM_SIZE_OF_VALUE) { + dev_err(cam->dev, "%s size of param value is too large: %u\n", + __func__, param.sizeofvalue); + return -EINVAL; + } + len = (int)cam_desc.size_layout - param.variant; if (len <= 0) { - dev_err(cam->dev, "%s invalid offset %d\n", + dev_err(cam->dev, "%s invalid offset %u\n", __func__, param.variant); err = -EINVAL; goto getlayout_end; diff --git a/include/media/camera.h b/include/media/camera.h index 7528b9acede8..22f097ee3db2 100644 --- a/include/media/camera.h +++ b/include/media/camera.h @@ -117,6 +117,9 @@ #define CAMERA_DT_ARRAY_U16 22 #define CAMERA_DT_ARRAY_U32 23 +#define MAX_PARAM_SIZE_OF_VALUE 1024 +#define MAX_PARAM_VARIANT 4096 + enum { CAMERA_SEQ_EXEC, CAMERA_SEQ_REGISTER_EXEC, -- cgit v1.2.3