camera: tegra: Fix security vulnerability

Check a few input params to make sure there is
no potential for a heap overflow in the driver.

(Back ported from Nexus N9 project)

Bug 1757475 (nvidia)
Bug 1832830 (nvidia)
Bug 28193342 (google)

Change-Id: I979fa38c5f453cfad7070f0340ec04adde5bac13
Signed-off-by: Amey Asgaonkar <aasgaonkar@nvidia.com>
Reviewed-on: http://git-master/r/1271369
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

1 files changed, 12 insertions, 1 deletions

diff --git a/drivers/media/platform/tegra/camera.c b/drivers/media/platform/tegra/camera.c
index a8bba03708f1..be541b921ec5 100644
--- a/drivers/media/platform/tegra/camera.c
+++ b/drivers/media/platform/tegra/camera.c
@@ -686,9 +686,20 @@ static int camera_layout_get(struct camera_info *cam, unsigned long arg)
 	if (err)
 		return err;
 
+	if (param.variant > MAX_PARAM_VARIANT) {
+		dev_err(cam->dev, "%s param variant is too large: %u\n",
+		__func__, param.variant);
+		return -EINVAL;
+	}
+	if (param.sizeofvalue > MAX_PARAM_SIZE_OF_VALUE) {
+		dev_err(cam->dev, "%s size of param value is too large: %u\n",
+		__func__, param.sizeofvalue);
+		return -EINVAL;
+	}
+
 	len = (int)cam_desc.size_layout - param.variant;
 	if (len <= 0) {
-		dev_err(cam->dev, "%s invalid offset %d\n",
+		dev_err(cam->dev, "%s invalid offset %u\n",
 			__func__, param.variant);
 		err = -EINVAL;
 		goto getlayout_end;