divestos-build/Patches/Linux_CVEs/CVE-2017-9702/3.10/0001.patch

From 2ae1eab54e874553c078e5275421398597401ac9 Mon Sep 17 00:00:00 2001
From: Haibin Liu <haibinl@codeaurora.org>
Date: Wed, 17 May 2017 18:52:30 +0800
Subject: [PATCH] msm: camera: fix untrusted pointer for power down setting

When getting power down setting, there is an untrusted pointer
from a user space pointer.Need to copy to the kernel space first.

CRs-Fixed: 2037398
Bug: 36492827
Change-Id: I64032a96e62ddfeec85eebe984d8ba52754f6148
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
---
 .../platform/msm/camera_v2/sensor/msm_sensor_driver.c    | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
index 87e741b651c4a..5d3c56191e0d4 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
@@ -407,17 +407,11 @@ static int32_t msm_sensor_create_pd_settings(void *setting,
 
 #ifdef CONFIG_COMPAT
 	if (is_compat_task()) {
-		int i = 0;
-		struct msm_sensor_power_setting32 *power_setting_iter =
-		(struct msm_sensor_power_setting32 *)compat_ptr((
-		(struct msm_camera_sensor_slave_info32 *)setting)->
-		power_setting_array.power_setting);
-
-		for (i = 0; i < size_down; i++) {
-			pd[i].config_val = power_setting_iter[i].config_val;
-			pd[i].delay = power_setting_iter[i].delay;
-			pd[i].seq_type = power_setting_iter[i].seq_type;
-			pd[i].seq_val = power_setting_iter[i].seq_val;
+		rc = msm_sensor_get_pw_settings_compat(
+			pd, pu, size_down);
+		if (rc < 0) {
+			pr_err("failed");
+			return -EFAULT;
 		}
 	} else
 #endif
Many new CVE patches 2017-11-25 19:39:02 -05:00			`From 2ae1eab54e874553c078e5275421398597401ac9 Mon Sep 17 00:00:00 2001`
			`From: Haibin Liu <haibinl@codeaurora.org>`
			`Date: Wed, 17 May 2017 18:52:30 +0800`
			`Subject: [PATCH] msm: camera: fix untrusted pointer for power down setting`

			`When getting power down setting, there is an untrusted pointer`
			`from a user space pointer.Need to copy to the kernel space first.`

			`CRs-Fixed: 2037398`
			`Bug: 36492827`
			`Change-Id: I64032a96e62ddfeec85eebe984d8ba52754f6148`
			`Signed-off-by: Haibin Liu <haibinl@codeaurora.org>`
			`---`
			`.../platform/msm/camera_v2/sensor/msm_sensor_driver.c \| 16 +++++-----------`
			`1 file changed, 5 insertions(+), 11 deletions(-)`

			`diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c`
			`index 87e741b651c4a..5d3c56191e0d4 100644`
			`--- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c`
			`+++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c`
			`@@ -407,17 +407,11 @@ static int32_t msm_sensor_create_pd_settings(void *setting,`

			`#ifdef CONFIG_COMPAT`
			`if (is_compat_task()) {`
			`- int i = 0;`
			`- struct msm_sensor_power_setting32 *power_setting_iter =`
			`- (struct msm_sensor_power_setting32 *)compat_ptr((`
			`- (struct msm_camera_sensor_slave_info32 *)setting)->`
			`- power_setting_array.power_setting);`
			`-`
			`- for (i = 0; i < size_down; i++) {`
			`- pd[i].config_val = power_setting_iter[i].config_val;`
			`- pd[i].delay = power_setting_iter[i].delay;`
			`- pd[i].seq_type = power_setting_iter[i].seq_type;`
			`- pd[i].seq_val = power_setting_iter[i].seq_val;`
			`+ rc = msm_sensor_get_pw_settings_compat(`
			`+ pd, pu, size_down);`
			`+ if (rc < 0) {`
			`+ pr_err("failed");`
			`+ return -EFAULT;`
			`}`
			`} else`
			`#endif`