From d3fa7f131d83278faffdff2495e70c16aa73f9af Mon Sep 17 00:00:00 2001 From: jinguiw Date: Thu, 11 Jul 2024 18:03:15 +0530 Subject: [PATCH] msm: camera: ope: check cpu buffer offset and cmd buf idx No check for cpu buffer offset, which may lead to out of cpu buffer map. No check for cmd buffer index, which may lead to out of bound or negative index. Adding check for cpu buffer map offset and adding check for cmd buffer index. CRs-Fixed: 3864084 Change-Id: I39494b0a9f323cb5569d37a0c033b2eaf8fbd32c Signed-off-by: jinguiw --- drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.c b/drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.c index 7c5af792e1..412154536a 100644 --- a/drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.c +++ b/drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.c @@ -2212,6 +2212,14 @@ static int cam_ope_mgr_process_cmd_buf_req(struct cam_ope_hw_mgr *hw_mgr, hw_mgr->iommu_hdl); goto end; } + if ((len <= frame_process->cmd_buf[i][j].offset) || + (frame_process->cmd_buf[i][j].size < + frame_process->cmd_buf[i][j].length) || + ((len - frame_process->cmd_buf[i][j].offset) < + frame_process->cmd_buf[i][j].length)) { + CAM_ERR(CAM_OPE, "Invalid offset."); + return -EINVAL; + } cpu_addr = cpu_addr + frame_process->cmd_buf[i][j].offset; CAM_DBG(CAM_OPE, "Hdl %x size %d len %d off %d", @@ -2260,6 +2268,10 @@ static int cam_ope_mgr_process_cmd_buf_req(struct cam_ope_hw_mgr *hw_mgr, uint32_t s_idx = 0; s_idx = cmd_buf->stripe_idx; + if (s_idx < 0 || s_idx >= OPE_MAX_STRIPES) { + CAM_ERR(CAM_OPE, "Invalid index."); + return -EINVAL; + } num_cmd_bufs = ope_request->num_stripe_cmd_bufs[i][s_idx];