msm: camera: isp: validate in_port before accessing
in_port information we getting from the UMD and accessing
it directly without validation which might lead to
corruption and device failure.
Change-Id: I02a00efad45e9045b800ef405c432ff041785676
Signed-off-by: Tejas Prajapati <tpraja@codeaurora.org>
diff --git a/drivers/media/platform/msm/camera_v3/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c b/drivers/media/platform/msm/camera_v3/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
index 91e1e74..d8fd9e0 100644
--- a/drivers/media/platform/msm/camera_v3/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
+++ b/drivers/media/platform/msm/camera_v3/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -1803,18 +1803,36 @@
static int cam_ife_mgr_check_and_update_fe(
struct cam_ife_hw_mgr_ctx *ife_ctx,
- struct cam_isp_acquire_hw_info *acquire_hw_info)
+ struct cam_isp_acquire_hw_info *acquire_hw_info,
+ uint32_t acquire_info_size)
{
int i;
struct cam_isp_in_port_info *in_port = NULL;
uint32_t in_port_length = 0;
uint32_t total_in_port_length = 0;
+ if (acquire_hw_info->input_info_offset >=
+ acquire_hw_info->input_info_size) {
+ CAM_ERR(CAM_ISP,
+ "Invalid size offset 0x%x is greater then size 0x%x",
+ acquire_hw_info->input_info_offset,
+ acquire_hw_info->input_info_size);
+ return -EINVAL;
+ }
+
in_port = (struct cam_isp_in_port_info *)
((uint8_t *)&acquire_hw_info->data +
acquire_hw_info->input_info_offset);
for (i = 0; i < acquire_hw_info->num_inputs; i++) {
+ if (((uint8_t *)in_port +
+ sizeof(struct cam_isp_in_port_info)) >
+ ((uint8_t *)acquire_hw_info +
+ acquire_info_size)) {
+ CAM_ERR(CAM_ISP, "Invalid size");
+ return -EINVAL;
+ }
+
if ((in_port->num_out_res > CAM_IFE_HW_OUT_RES_MAX) ||
(in_port->num_out_res <= 0)) {
CAM_ERR(CAM_ISP, "Invalid num output res %u",
@@ -2074,7 +2092,8 @@
acquire_hw_info =
(struct cam_isp_acquire_hw_info *)acquire_args->acquire_info;
- rc = cam_ife_mgr_check_and_update_fe(ife_ctx, acquire_hw_info);
+ rc = cam_ife_mgr_check_and_update_fe(ife_ctx, acquire_hw_info,
+ acquire_args->acquire_info_size);
if (rc) {
CAM_ERR(CAM_ISP, "buffer size is not enough");
goto free_cdm;