msm: camera: common: Fix possible OOB reads and writes operation

We need to check if the packet is valid before using it. CRs-Fixed: 3605421 Change-Id: Ide4e005ba46690c1cac02cb77a2d9aaa497b15df Signed-off-by: mingpan <quic_mingpan@quicinc.com> (cherry picked from commit 0156c0475a4c6c042eb84fcfbc14b3e837e0cb4c)
2023-09-05 18:53:50 +08:00
--- a/drivers/cam_sensor_module/cam_actuator/cam_actuator_core.c
+++ b/drivers/cam_sensor_module/cam_actuator/cam_actuator_core.c
@@ -515,6 +515,10 @@ int32_t cam_actuator_i2c_pkt_parse(struct cam_actuator_ctrl_t *a_ctrl,

 		/* Loop through multiple command buffers */
 		for (i = 0; i < csl_packet->num_cmd_buf; i++) {
+			rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
+			if (rc)
+				return rc;
+
 			total_cmd_buf_in_bytes = cmd_desc[i].length;
 			if (!total_cmd_buf_in_bytes)
 				continue;
--- a/drivers/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
+++ b/drivers/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
@@ -734,6 +734,10 @@ static int32_t cam_eeprom_parse_write_memory_packet(
 		int                            master;
 		struct cam_sensor_cci_client   *cci;

+		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
+		if (rc)
+			return rc;
+
 		total_cmd_buf_in_bytes = cmd_desc[i].length;
 		processed_cmd_buf_in_bytes = 0;

@@ -950,6 +954,10 @@ static int32_t cam_eeprom_init_pkt_parser(struct cam_eeprom_ctrl_t *e_ctrl,

 	/* Loop through multiple command buffers */
 	for (i = 0; i < csl_packet->num_cmd_buf; i++) {
+		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
+		if (rc)
+			return rc;
+
 		total_cmd_buf_in_bytes = cmd_desc[i].length;
 		processed_cmd_buf_in_bytes = 0;
 		if (!total_cmd_buf_in_bytes)
--- a/drivers/cam_sensor_module/cam_flash/cam_flash_core.c
+++ b/drivers/cam_sensor_module/cam_flash/cam_flash_core.c
@@ -1012,6 +1012,10 @@ int cam_flash_i2c_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg)

 		/* Loop through multiple command buffers */
 		for (i = 1; i < csl_packet->num_cmd_buf; i++) {
+			rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
+			if (rc)
+				return rc;
+
 			total_cmd_buf_in_bytes = cmd_desc[i].length;
 			if (!total_cmd_buf_in_bytes)
 				continue;
--- a/drivers/cam_sensor_module/cam_ois/cam_ois_core.c
+++ b/drivers/cam_sensor_module/cam_ois/cam_ois_core.c
@@ -1106,6 +1106,10 @@ static int cam_ois_pkt_parse(struct cam_ois_ctrl_t *o_ctrl, void *arg)

 		/* Loop through multiple command buffers */
 		for (i = 0; i < csl_packet->num_cmd_buf; i++) {
+			rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
+			if (rc)
+				return rc;
+
 			total_cmd_buf_in_bytes = cmd_desc[i].length;
 			if (!total_cmd_buf_in_bytes)
 				continue;
--- a/drivers/cam_sensor_module/cam_sensor/cam_sensor_core.c
+++ b/drivers/cam_sensor_module/cam_sensor/cam_sensor_core.c
@@ -854,6 +854,10 @@ int32_t cam_handle_mem_ptr(uint64_t handle, uint32_t cmd,
 	CAM_DBG(CAM_SENSOR, "Received Header opcode: %u", probe_ver);

 	for (i = 0; i < pkt->num_cmd_buf; i++) {
+		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
+		if (rc)
+			return rc;
+
 		if (!(cmd_desc[i].length))
 			continue;
 		rc = cam_mem_get_cpu_buf(cmd_desc[i].mem_handle,