diff options
| author | Greg Hackmann <ghackmann@google.com> | 2016-02-19 13:33:31 -0800 |
|---|---|---|
| committer | Winnie Hsu <whsu@nvidia.com> | 2017-05-16 12:38:01 -0700 |
| commit | 651cce8f33cff889007ca563cdcff98abe3a5e90 (patch) | |
| tree | 0916235878259b82b86f0abab31481ebecfe77b4 /include | |
| parent | c15231b2c2b5799645d599310421d1d6c46b395b (diff) | |
media: tegra: camera: sanity-check ioctl parameter
Several places in the camera stack can hit integer overflows or cause
bad allocations if userspace passes in a bogus sizeofvalue parameter.
Protect against this by using appropriately-sized integer types, adding
range checks, replacing array-allocation calls with kcalloc(), and
checking for allocations returning ZERO_SIZE_PTR.
For one specific ioctl (PCLLK_IOCTL_UPDATE) sizeofvalue = 0 is fine,
since when that happens the subdrivers won't actually touch the returned
allocation. In fact the existing userspace camera driver makes calls
like these and expects them to succeed! Handle this special case by
adding a __camera_get_params variant that optionally treats zero-sized
inputs as valid.
(back ported from Nexus N9 project)
Bug 1832830
Change-Id: Ie3250d8a4b814de5820fa0190b4cbd1af3ca4b3f
Reported-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271367
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/media/camera.h | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/include/media/camera.h b/include/media/camera.h index 5cbac56de269..7528b9acede8 100644 --- a/include/media/camera.h +++ b/include/media/camera.h @@ -337,7 +337,7 @@ struct camera_chip { int (*power_off)(struct camera_device *cdev); int (*shutdown)(struct camera_device *cdev); int (*update)(struct camera_device *cdev, - struct cam_update *upd, int num); + struct cam_update *upd, u32 num); }; struct camera_sync_dev { @@ -386,8 +386,14 @@ struct camera_platform_info { }; /* common functions */ -int camera_get_params( - struct camera_info *, unsigned long, int, struct nvc_param *, void **); +int __camera_get_params( + struct camera_info *, unsigned long, int, struct nvc_param *, void **, + bool); +static inline int camera_get_params(struct camera_info *cam, unsigned long arg, + int u_size, struct nvc_param *prm, void **data) +{ + return __camera_get_params(cam, arg, u_size, prm, data, false); +} int camera_copy_user_params(unsigned long, struct nvc_param *); int virtual_device_add(struct device *, unsigned long); |