Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0495e628 authored by Pavan Kumar Chilamkurthi's avatar Pavan Kumar Chilamkurthi
Browse files

msm: camera: cpas: Fix invalid user ptr access in CONFIG_COMPAT mode 



When 32-bit task is calling IOCTLs into kernel, accessing the IOCTL
data will cause an access violation if the data is not copied
into kernel memory first. To avoid this, use copy_from_user()
and copy_to_user() while handling IOCTLs.

CRs-Fixed: 2019539
Change-Id: I2125778be7523853f7f7301586a3eff06479885d
Signed-off-by: default avatarPavan Kumar Chilamkurthi <pchilamk@codeaurora.org>
parent 823e0419

drivers/media/platform/msm/camera/cam_cpas/cam_cpas_intf.c

+18 −1
Original line number Diff line number Diff line
@@ -428,6 +428,7 @@ static long cam_cpas_subdev_ioctl(struct v4l2_subdev *sd, 
static long cam_cpas_subdev_compat_ioctl(struct v4l2_subdev *sd,

	unsigned int cmd, unsigned long arg)

{

	struct cam_control cmd_data;

	int32_t rc;

	struct cam_cpas_intf *cpas_intf = v4l2_get_subdevdata(sd);
@@ -436,9 +437,16 @@ static long cam_cpas_subdev_compat_ioctl(struct v4l2_subdev *sd, 
		return -ENODEV;

	}



	if (copy_from_user(&cmd_data, (void __user *)arg,

		sizeof(cmd_data))) {

		pr_err("Failed to copy from user_ptr=%pK size=%zu\n",

			(void __user *)arg, sizeof(cmd_data));

		return -EFAULT;

	}



	switch (cmd) {

	case VIDIOC_CAM_CONTROL:

		rc = cam_cpas_subdev_cmd(cpas_intf, (struct cam_control *) arg);

		rc = cam_cpas_subdev_cmd(cpas_intf, &cmd_data);

		break;

	default:

		pr_err("Invalid command %d for CPAS!\n", cmd);
@@ -446,6 +454,15 @@ static long cam_cpas_subdev_compat_ioctl(struct v4l2_subdev *sd, 
		break;

	}



	if (!rc) {

		if (copy_to_user((void __user *)arg, &cmd_data,

			sizeof(cmd_data))) {

			pr_err("Failed to copy to user_ptr=%pK size=%zu\n",

				(void __user *)arg, sizeof(cmd_data));

			rc = -EFAULT;

		}

	}



	return rc;

}

#endif