CHROMIUM: camx: fix data_offset buffer overrun

Validate |data_offset| fields of vb2_buffers in the camx driver.
Currently we blindly add |data_offset| to the DMA address, which could
potentially allow userspace to write to arbitrary memory addresses.

BUG=b:235392268
TEST=Kernel builds and runs on strongbad. Test command
"cros_camera_connector_test
--gtest_filter=ConnectorTest/CaptureTest.OneFrame/NV12_640x480_30fps"
passes.
Signed-off-by: Justin Green <greenjustin@google.com>

Change-Id: Ibecb9c6e0dd8ac029555244ac256c4213f203cbc
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/3710550
Reviewed-by: Atanas Filipov <afilipov@mm-sol.com>
Commit-Queue: Justin Green <greenjustin@google.com>
Tested-by: Justin Green <greenjustin@google.com>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
1 file changed