msm: camera: utils: Validate buffer offset properly during dump

Abhilash Kumar · Abhilash Kumar · commit 67a2821ae9ed · 2025-11-10T17:22:52.000+05:30
This change adds validation for the buffer in the patch descriptor,
so that during dumping the information, illegal access is prevented.

CRs-Fixed: 4021530
Change-Id: I044c64a446e38a71e0e4781fc0ea5eae6a53dc5e
Signed-off-by: Abhilash Kumar &lt;krabhi@qti.qualcomm.com&gt;
diff --git a/camera/drivers/cam_utils/cam_packet_util.c b/camera/drivers/cam_utils/cam_packet_util.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2025, Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
  */
 
 #include <linux/types.h>
@@ -263,6 +263,7 @@ void cam_packet_util_dump_patch_info(struct cam_packet *packet,
 	int32_t    hdl;
 	uintptr_t  cpu_addr = 0;
 	uint32_t  *dst_cpu_addr;
+	uint32_t   dst_offset = 0;
 	uint32_t   flags, buf_fd;
 	uint32_t   value = 0;
 
@@ -320,16 +321,26 @@ void cam_packet_util_dump_patch_info(struct cam_packet *packet,
 			return;
 		}
 
+		dst_offset = patch_desc[i].dst_offset;
+
+		if ((dst_buf_len < sizeof(uint32_t)) ||
+			((dst_buf_len - sizeof(uint32_t)) < (size_t)dst_offset)) {
+			CAM_ERR(CAM_UTIL,
+				"Invalid dst buf patch at: %d src buf hdl 0x%llx src_buf address 0x%llx dst_buf_len 0x%zx, dst_offset 0x%x",
+				i, patch_desc[i].src_buf_hdl, iova_addr, dst_buf_len, dst_offset);
+			cam_mem_put_cpu_buf(patch_desc[i].dst_buf_hdl);
+			return;
+		}
+
 		dst_cpu_addr = (uint32_t *)cpu_addr;
-		dst_cpu_addr = (uint32_t *)((uint8_t *)dst_cpu_addr +
-			patch_desc[i].dst_offset);
+		dst_cpu_addr = (uint32_t *)((uint8_t *)dst_cpu_addr + dst_offset);
 		value = *dst_cpu_addr;
 		CAM_INFO(CAM_UTIL,
 			"i = %d src_buf 0x%llx src_hdl 0x%x src_buf_with_offset 0x%llx src_size 0x%llx src_flags: %x dst %p dst_offset %u dst_hdl 0x%x value 0x%x",
 			i, iova_addr, patch_desc[i].src_buf_hdl,
 			(iova_addr + patch_desc[i].src_offset),
 			src_buf_size, flags, dst_cpu_addr,
-			patch_desc[i].dst_offset,
+			dst_offset,
 			patch_desc[i].dst_buf_hdl, value);
 
 		if (!(*dst_cpu_addr))
