Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6b4232c9 authored by Shivi Mangal's avatar Shivi Mangal Committed by Sridhar Gujje
Browse files

msm: camera: sensor: Handling race condition in util api 



I2C cmd is coming from user space which can be modified due to
access to shared memory. This change scopes the data locally so
as to avoid vulnerability of count being modified by external
means while executing due to being in shared memory.

CRs-Fixed: 3707472
Change-Id: I8a89e23e99b80b089ed4c4cf3098feead752356e
Signed-off-by: default avatarShivi Mangal <quic_smangal@quicinc.com>
(cherry picked from commit fbcaf470eddb6fcaf1c9c63835113a257310b498)
parent d3c7391d

drivers/cam_sensor_module/cam_sensor_utils/cam_sensor_util.c

+10 −10
Original line number Diff line number Diff line
@@ -150,10 +150,11 @@ int32_t cam_sensor_handle_random_write( 
	struct list_head **list)

{

	struct i2c_settings_list  *i2c_list;

	int32_t rc = 0, cnt;

	int32_t rc = 0, cnt, payload_count;



	payload_count = cam_cmd_i2c_random_wr->header.count;

	i2c_list = cam_sensor_get_i2c_ptr(i2c_reg_settings,

		cam_cmd_i2c_random_wr->header.count);

						payload_count);

	if (i2c_list == NULL ||

		i2c_list->i2c_settings.reg_setting == NULL) {

		CAM_ERR(CAM_SENSOR, "Failed in allocating i2c_list");
@@ -162,15 +163,14 @@ int32_t cam_sensor_handle_random_write( 


	*cmd_length_in_bytes = (sizeof(struct i2c_rdwr_header) +

		sizeof(struct i2c_random_wr_payload) *

		(cam_cmd_i2c_random_wr->header.count));

		payload_count);

	i2c_list->op_code = CAM_SENSOR_I2C_WRITE_RANDOM;

	i2c_list->i2c_settings.addr_type =

		cam_cmd_i2c_random_wr->header.addr_type;

	i2c_list->i2c_settings.data_type =

		cam_cmd_i2c_random_wr->header.data_type;



	for (cnt = 0; cnt < (cam_cmd_i2c_random_wr->header.count);

		cnt++) {

	for (cnt = 0; cnt < payload_count; cnt++) {

		i2c_list->i2c_settings.reg_setting[cnt].reg_addr =

			cam_cmd_i2c_random_wr->random_wr_payload[cnt].reg_addr;

		i2c_list->i2c_settings.reg_setting[cnt].reg_data =
@@ -190,10 +190,11 @@ static int32_t cam_sensor_handle_continuous_write( 
	struct list_head **list)

{

	struct i2c_settings_list *i2c_list;

	int32_t rc = 0, cnt;

	int32_t rc = 0, cnt, payload_count;



	payload_count = cam_cmd_i2c_continuous_wr->header.count;

	i2c_list = cam_sensor_get_i2c_ptr(i2c_reg_settings,

		cam_cmd_i2c_continuous_wr->header.count);

						payload_count);

	if (i2c_list == NULL ||

		i2c_list->i2c_settings.reg_setting == NULL) {

		CAM_ERR(CAM_SENSOR, "Failed in allocating i2c_list");
@@ -203,7 +204,7 @@ static int32_t cam_sensor_handle_continuous_write( 
	*cmd_length_in_bytes = (sizeof(struct i2c_rdwr_header) +

		sizeof(cam_cmd_i2c_continuous_wr->reg_addr) +

		sizeof(struct cam_cmd_read) *

		(cam_cmd_i2c_continuous_wr->header.count));

		(payload_count));

	if (cam_cmd_i2c_continuous_wr->header.op_code ==

		CAMERA_SENSOR_I2C_OP_CONT_WR_BRST)

		i2c_list->op_code = CAM_SENSOR_I2C_WRITE_BURST;
@@ -220,8 +221,7 @@ static int32_t cam_sensor_handle_continuous_write( 
	i2c_list->i2c_settings.size =

		cam_cmd_i2c_continuous_wr->header.count;



	for (cnt = 0; cnt < (cam_cmd_i2c_continuous_wr->header.count);

		cnt++) {

	for (cnt = 0; cnt < payload_count; cnt++) {

		i2c_list->i2c_settings.reg_setting[cnt].reg_addr =

			cam_cmd_i2c_continuous_wr->reg_addr;

		i2c_list->i2c_settings.reg_setting[cnt].reg_data =