media: tegra: camera: sanity-check ioctl parameter
authorGreg Hackmann <ghackmann@google.com>
Fri, 19 Feb 2016 21:33:31 +0000 (13:33 -0800)
committerWinnie Hsu <whsu@nvidia.com>
Tue, 16 May 2017 19:38:01 +0000 (12:38 -0700)
commit651cce8f33cff889007ca563cdcff98abe3a5e90
tree0916235878259b82b86f0abab31481ebecfe77b4
parentc15231b2c2b5799645d599310421d1d6c46b395b
media: tegra: camera: sanity-check ioctl parameter

Several places in the camera stack can hit integer overflows or cause
bad allocations if userspace passes in a bogus sizeofvalue parameter.
Protect against this by using appropriately-sized integer types, adding
range checks, replacing array-allocation calls with kcalloc(), and
checking for allocations returning ZERO_SIZE_PTR.

For one specific ioctl (PCLLK_IOCTL_UPDATE) sizeofvalue = 0 is fine,
since when that happens the subdrivers won't actually touch the returned
allocation.  In fact the existing userspace camera driver makes calls
like these and expects them to succeed!  Handle this special case by
adding a __camera_get_params variant that optionally treats zero-sized
inputs as valid.

(back ported from Nexus N9 project)

Bug 1832830

Change-Id: Ie3250d8a4b814de5820fa0190b4cbd1af3ca4b3f
Reported-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271367
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
drivers/media/platform/tegra/cam_dev/imx135.c
drivers/media/platform/tegra/cam_dev/of_camera.c
drivers/media/platform/tegra/cam_dev/virtual.c
drivers/media/platform/tegra/camera.c
include/media/camera.h