samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

msm: camera: ope: check cpu buffer offset and cmd buf idx

Browse Source 
No check for cpu buffer offset, which may lead to out of cpu buffer
map. No check for cmd buffer index, which may lead to out of bound
or negative index. Adding check for cpu buffer map offset and
adding check for cmd buffer index.

CRs-Fixed: 3864084
Change-Id: I39494b0a9f323cb5569d37a0c033b2eaf8fbd32c
Signed-off-by: jinguiw <quic_jinguiw@quicinc.com>
This commit is contained in:
jinguiw
2024-07-11 18:03:15 +05:30
committed by Sridhar Gujje
parent 3ecdc35c98
commit d3fa7f131d
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.c
View File

@@ -2212,6 +2212,14 @@ static int cam_ope_mgr_process_cmd_buf_req(struct cam_ope_hw_mgr *hw_mgr,
hw_mgr->iommu_hdl);
goto end;
}
if ((len <= frame_process->cmd_buf[i][j].offset) ||
(frame_process->cmd_buf[i][j].size <
frame_process->cmd_buf[i][j].length) ||
((len - frame_process->cmd_buf[i][j].offset) <
frame_process->cmd_buf[i][j].length)) {
CAM_ERR(CAM_OPE, "Invalid offset.");
return -EINVAL;
}
cpu_addr = cpu_addr +
frame_process->cmd_buf[i][j].offset;
CAM_DBG(CAM_OPE, "Hdl %x size %d len %d off %d",
@@ -2260,6 +2268,10 @@ static int cam_ope_mgr_process_cmd_buf_req(struct cam_ope_hw_mgr *hw_mgr,
uint32_t s_idx = 0;
s_idx = cmd_buf->stripe_idx;
if (s_idx < 0 || s_idx >= OPE_MAX_STRIPES) {
CAM_ERR(CAM_OPE, "Invalid index.");
return -EINVAL;
}
num_cmd_bufs =
ope_request->num_stripe_cmd_bufs[i][s_idx];