msm: camera: common: Fix possible OOB reads and writes operation
We need to check if the packet is valid before using it. CRs-Fixed: 3605421 Change-Id: Ide4e005ba46690c1cac02cb77a2d9aaa497b15df Signed-off-by: mingpan <quic_mingpan@quicinc.com> (cherry picked from commit 0156c0475a4c6c042eb84fcfbc14b3e837e0cb4c)
このコミットが含まれているのは:
mingpan
@@ -2155,6 +2155,10 @@ static int cam_cre_process_generic_cmd_buffer(
|
||||
((uint32_t *) &packet->payload + packet->cmd_buf_offset/4);
|
||||
|
||||
for (i = 0; i < packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (!cmd_desc[i].length)
|
||||
continue;
|
||||
|
||||
|
||||
@@ -79,6 +79,9 @@ static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet,
|
||||
packet->cmd_buf_offset);
|
||||
|
||||
for (i = 0; i < packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
/*
|
||||
* We can allow 0 length cmd buffer. This can happen in case
|
||||
* umd gives an empty cmd buffer as kmd buffer
|
||||
@@ -807,6 +810,10 @@ static int cam_fd_mgr_util_prepare_hw_update_entries(
|
||||
&prepare->packet->payload + prepare->packet->cmd_buf_offset);
|
||||
|
||||
for (i = 0; i < prepare->packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (!cmd_desc[i].length)
|
||||
continue;
|
||||
|
||||
|
||||
@@ -5983,6 +5983,10 @@ static int cam_icp_process_generic_cmd_buffer(
|
||||
cmd_desc = (struct cam_cmd_buf_desc *)
|
||||
((uint32_t *) &packet->payload + packet->cmd_buf_offset/4);
|
||||
for (i = 0; i < packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (!cmd_desc[i].length)
|
||||
continue;
|
||||
|
||||
@@ -6106,6 +6110,10 @@ static int cam_icp_mgr_config_stream_settings(
|
||||
cmd_desc = (struct cam_cmd_buf_desc *)
|
||||
((uint32_t *) &packet->payload + packet->cmd_buf_offset/4);
|
||||
|
||||
rc = cam_packet_util_validate_cmd_desc(cmd_desc);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (!cmd_desc[0].length ||
|
||||
cmd_desc[0].meta_data != CAM_ICP_CMD_META_GENERIC_BLOB) {
|
||||
CAM_ERR(CAM_ICP, "%s: Invalid cmd buffer length/metadata",
|
||||
|
||||
@@ -508,6 +508,10 @@ static int cam_ife_mgr_handle_reg_dump(struct cam_ife_hw_mgr_ctx *ctx,
|
||||
ctx->ctx_index);
|
||||
|
||||
for (i = 0; i < num_reg_dump_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(®_dump_buf_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
CAM_DBG(CAM_ISP, "Reg dump cmd meta data: %u req_type: %u ctx_idx: %u",
|
||||
reg_dump_buf_desc[i].meta_data, meta_type, ctx->ctx_index);
|
||||
if (reg_dump_buf_desc[i].meta_data == meta_type) {
|
||||
|
||||
@@ -318,6 +318,10 @@ int cam_isp_add_command_buffers(
|
||||
split_id, prepare->packet->num_cmd_buf);
|
||||
|
||||
for (i = 0; i < prepare->packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
num_ent = prepare->num_hw_update_entries;
|
||||
if (!cmd_desc[i].length)
|
||||
continue;
|
||||
@@ -530,6 +534,10 @@ int cam_sfe_add_command_buffers(
|
||||
split_id, prepare->packet->num_cmd_buf);
|
||||
|
||||
for (i = 0; i < prepare->packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
num_ent = prepare->num_hw_update_entries;
|
||||
if (!cmd_desc[i].length)
|
||||
continue;
|
||||
@@ -1591,6 +1599,10 @@ int cam_isp_add_csid_command_buffers(
|
||||
split_id, prepare->packet->num_cmd_buf);
|
||||
|
||||
for (i = 0; i < prepare->packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
num_ent = prepare->num_hw_update_entries;
|
||||
if (!cmd_desc[i].length)
|
||||
continue;
|
||||
@@ -1889,6 +1901,10 @@ int cam_isp_get_cmd_buf_count(
|
||||
prepare->packet->cmd_buf_offset);
|
||||
|
||||
for (i = 0; i < prepare->packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (!cmd_desc[i].length)
|
||||
continue;
|
||||
|
||||
|
||||
@@ -169,6 +169,10 @@ static int cam_jpeg_add_command_buffers(struct cam_packet *packet,
|
||||
num_entry);
|
||||
|
||||
for (i = 0; i < packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
CAM_DBG(CAM_JPEG,
|
||||
"Metadata: %u Offset: 0x%x Length: %u mem_handle: 0x%x num_entry: %d",
|
||||
cmd_desc[i].meta_data, cmd_desc[i].offset,
|
||||
|
||||
@@ -123,6 +123,10 @@ static int cam_lrme_mgr_util_packet_validate(struct cam_packet *packet,
|
||||
packet->cmd_buf_offset);
|
||||
|
||||
for (i = 0; i < packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (!cmd_desc[i].length)
|
||||
continue;
|
||||
|
||||
@@ -324,6 +328,10 @@ static int cam_lrme_mgr_util_prepare_hw_update_entries(
|
||||
&prepare->packet->payload + prepare->packet->cmd_buf_offset);
|
||||
|
||||
for (i = 0; i < prepare->packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (!cmd_desc[i].length)
|
||||
continue;
|
||||
|
||||
|
||||
@@ -437,6 +437,10 @@ static int cam_ope_mgr_put_cmd_buf(struct cam_packet *packet)
|
||||
((uint32_t *) &packet->payload + packet->cmd_buf_offset/4);
|
||||
|
||||
for (i = 0; i < packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (cmd_desc[i].type != CAM_CMD_BUF_GENERIC ||
|
||||
cmd_desc[i].meta_data == OPE_CMD_META_GENERIC_BLOB)
|
||||
continue;
|
||||
@@ -558,6 +562,10 @@ static int cam_ope_dump_frame_process(struct cam_packet *packet,
|
||||
cmd_desc = (struct cam_cmd_buf_desc *)
|
||||
((uint32_t *) &packet->payload + packet->cmd_buf_offset/4);
|
||||
for (i = 0; i < packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (cmd_desc[i].type != CAM_CMD_BUF_GENERIC ||
|
||||
cmd_desc[i].meta_data == OPE_CMD_META_GENERIC_BLOB)
|
||||
continue;
|
||||
@@ -2303,6 +2311,10 @@ static int cam_ope_mgr_process_cmd_desc(struct cam_ope_hw_mgr *hw_mgr,
|
||||
|
||||
*ope_cmd_buf_addr = 0;
|
||||
for (i = 0; i < packet->num_cmd_buf; i++, num_cmd_buf++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (cmd_desc[i].type != CAM_CMD_BUF_GENERIC ||
|
||||
cmd_desc[i].meta_data == OPE_CMD_META_GENERIC_BLOB)
|
||||
continue;
|
||||
@@ -3212,16 +3224,20 @@ static int cam_ope_process_generic_cmd_buffer(
|
||||
((uint32_t *) &packet->payload + packet->cmd_buf_offset/4);
|
||||
|
||||
for (i = 0; i < packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (!cmd_desc[i].length)
|
||||
continue;
|
||||
|
||||
if (cmd_desc[i].meta_data != OPE_CMD_META_GENERIC_BLOB)
|
||||
continue;
|
||||
if (cmd_desc[i].meta_data != OPE_CMD_META_GENERIC_BLOB)
|
||||
continue;
|
||||
|
||||
rc = cam_packet_util_process_generic_cmd_buffer(&cmd_desc[i],
|
||||
cam_ope_packet_generic_blob_handler, &cmd_generic_blob);
|
||||
if (rc)
|
||||
CAM_ERR(CAM_OPE, "Failed in processing blobs %d", rc);
|
||||
rc = cam_packet_util_process_generic_cmd_buffer(&cmd_desc[i],
|
||||
cam_ope_packet_generic_blob_handler, &cmd_generic_blob);
|
||||
if (rc)
|
||||
CAM_ERR(CAM_OPE, "Failed in processing blobs %d", rc);
|
||||
}
|
||||
|
||||
return rc;
|
||||
|
||||
@@ -515,6 +515,10 @@ int32_t cam_actuator_i2c_pkt_parse(struct cam_actuator_ctrl_t *a_ctrl,
|
||||
|
||||
/* Loop through multiple command buffers */
|
||||
for (i = 0; i < csl_packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
total_cmd_buf_in_bytes = cmd_desc[i].length;
|
||||
if (!total_cmd_buf_in_bytes)
|
||||
continue;
|
||||
|
||||
@@ -734,6 +734,10 @@ static int32_t cam_eeprom_parse_write_memory_packet(
|
||||
int master;
|
||||
struct cam_sensor_cci_client *cci;
|
||||
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
total_cmd_buf_in_bytes = cmd_desc[i].length;
|
||||
processed_cmd_buf_in_bytes = 0;
|
||||
|
||||
@@ -950,6 +954,10 @@ static int32_t cam_eeprom_init_pkt_parser(struct cam_eeprom_ctrl_t *e_ctrl,
|
||||
|
||||
/* Loop through multiple command buffers */
|
||||
for (i = 0; i < csl_packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
total_cmd_buf_in_bytes = cmd_desc[i].length;
|
||||
processed_cmd_buf_in_bytes = 0;
|
||||
if (!total_cmd_buf_in_bytes)
|
||||
|
||||
@@ -1012,6 +1012,10 @@ int cam_flash_i2c_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg)
|
||||
|
||||
/* Loop through multiple command buffers */
|
||||
for (i = 1; i < csl_packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
total_cmd_buf_in_bytes = cmd_desc[i].length;
|
||||
if (!total_cmd_buf_in_bytes)
|
||||
continue;
|
||||
|
||||
@@ -1106,6 +1106,10 @@ static int cam_ois_pkt_parse(struct cam_ois_ctrl_t *o_ctrl, void *arg)
|
||||
|
||||
/* Loop through multiple command buffers */
|
||||
for (i = 0; i < csl_packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
total_cmd_buf_in_bytes = cmd_desc[i].length;
|
||||
if (!total_cmd_buf_in_bytes)
|
||||
continue;
|
||||
|
||||
@@ -854,6 +854,10 @@ int32_t cam_handle_mem_ptr(uint64_t handle, uint32_t cmd,
|
||||
CAM_DBG(CAM_SENSOR, "Received Header opcode: %u", probe_ver);
|
||||
|
||||
for (i = 0; i < pkt->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
if (!(cmd_desc[i].length))
|
||||
continue;
|
||||
rc = cam_mem_get_cpu_buf(cmd_desc[i].mem_handle,
|
||||
|
||||
@@ -792,6 +792,10 @@ send_cmd_buffers:
|
||||
cmd_desc = (struct cam_cmd_buf_desc *) ((uint8_t *)&packet->payload +
|
||||
packet->cmd_buf_offset);
|
||||
for (i = 0; i < packet->num_cmd_buf; i++) {
|
||||
rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
CAM_DBG(CAM_PRESIL, "Adding CMD buffer:%d", cmd_desc[i].mem_handle);
|
||||
cam_presil_add_unique_buf_hdl_to_list(cmd_desc[i].mem_handle,
|
||||
unique_cmd_buffers, &num_cmd_handles, CAM_PRESIL_UNIQUE_HDL_MAX);
|
||||
|
||||
新しいイシューから参照
ユーザーをブロックする