From: Hans Verkuil Date: Wed, 29 May 2013 10:00:02 +0000 (-0300) Subject: [media] marvell-ccic: check register address X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=4e032f3f58800a998bae79150909410d7a37206f;p=openwrt%2Fstaging%2Fblogic.git [media] marvell-ccic: check register address Prevent out-of-range register accesses. Signed-off-by: Hans Verkuil Cc: Jonathan Corbet Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/platform/marvell-ccic/cafe-driver.c b/drivers/media/platform/marvell-ccic/cafe-driver.c index 7b07fc55cd3c..1f079ff33d4b 100644 --- a/drivers/media/platform/marvell-ccic/cafe-driver.c +++ b/drivers/media/platform/marvell-ccic/cafe-driver.c @@ -500,6 +500,7 @@ static int cafe_pci_probe(struct pci_dev *pdev, printk(KERN_ERR "Unable to ioremap cafe-ccic regs\n"); goto out_disable; } + mcam->regs_size = pci_resource_len(pdev, 0); ret = request_irq(pdev->irq, cafe_irq, IRQF_SHARED, "cafe-ccic", cam); if (ret) goto out_iounmap; diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c index a187161e980e..c69cfc4413fc 100644 --- a/drivers/media/platform/marvell-ccic/mcam-core.c +++ b/drivers/media/platform/marvell-ccic/mcam-core.c @@ -1404,6 +1404,8 @@ static int mcam_vidioc_g_register(struct file *file, void *priv, { struct mcam_camera *cam = priv; + if (reg->reg > cam->regs_size - 4) + return -EINVAL; reg->val = mcam_reg_read(cam, reg->reg); reg->size = 4; return 0; @@ -1414,6 +1416,8 @@ static int mcam_vidioc_s_register(struct file *file, void *priv, { struct mcam_camera *cam = priv; + if (reg->reg > cam->regs_size - 4) + return -EINVAL; mcam_reg_write(cam, reg->reg, reg->val); return 0; } diff --git a/drivers/media/platform/marvell-ccic/mcam-core.h b/drivers/media/platform/marvell-ccic/mcam-core.h index 46b6ea31e66b..520c8ded9443 100644 --- a/drivers/media/platform/marvell-ccic/mcam-core.h +++ b/drivers/media/platform/marvell-ccic/mcam-core.h @@ -101,6 +101,7 @@ struct mcam_camera { */ struct i2c_adapter *i2c_adapter; unsigned char __iomem *regs; + unsigned regs_size; /* size in bytes of the register space */ spinlock_t dev_lock; struct device *dev; /* For messages, dma alloc */ enum mcam_chip_id chip_id; diff --git a/drivers/media/platform/marvell-ccic/mmp-driver.c b/drivers/media/platform/marvell-ccic/mmp-driver.c index cadad647ce0e..a634888271cd 100644 --- a/drivers/media/platform/marvell-ccic/mmp-driver.c +++ b/drivers/media/platform/marvell-ccic/mmp-driver.c @@ -202,6 +202,7 @@ static int mmpcam_probe(struct platform_device *pdev) ret = -ENODEV; goto out_free; } + mcam->regs_size = resource_size(res); /* * Power/clock memory is elsewhere; get it too. Perhaps this * should really be managed outside of this driver?