Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dd998dba authored by Akash Puliyadi Jegannathan's avatar Akash Puliyadi Jegannathan Committed by Pritam Sarkar
Browse files

msm: camera: sensor: TOCTOU error handling in eeprom 



IO config can be modified due to access to shared memory.
This change scopes the data locally so as to avoid
vulnerability of count being modified by external
means while executing due to being in shared memory.

CRs-Fixed: 3777635
Change-Id: Ia5dd9138dcf8449e2d800aca9ffed73d9c4ba3ea
Signed-off-by: default avatarAkash Puliyadi Jegannathan <quic_apuliyad@quicinc.com>
parent 6b4232c9

drivers/cam_sensor_module/cam_eeprom/cam_eeprom_core.c

+12 −8
Original line number Diff line number Diff line
@@ -1075,6 +1075,8 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl, 
{

	struct cam_buf_io_cfg *io_cfg;

	uint32_t              i = 0;

	size_t                plane_offset;

	int32_t               mem_handle;

	int                   rc = 0;

	uintptr_t              buf_addr;

	size_t                buf_size;
@@ -1084,6 +1086,8 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl, 
	io_cfg = (struct cam_buf_io_cfg *) ((uint8_t *)

		&csl_packet->payload +

		csl_packet->io_configs_offset);

	plane_offset = io_cfg->offsets[0];

	mem_handle   = io_cfg->mem_handle[0];



	CAM_DBG(CAM_EEPROM, "number of IO configs: %d:",

		csl_packet->num_io_configs);
@@ -1091,21 +1095,21 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl, 
	for (i = 0; i < csl_packet->num_io_configs; i++) {

		CAM_DBG(CAM_EEPROM, "Direction: %d:", io_cfg->direction);

		if (io_cfg->direction == CAM_BUF_OUTPUT) {

			rc = cam_mem_get_cpu_buf(io_cfg->mem_handle[0],

			rc = cam_mem_get_cpu_buf(mem_handle,

				&buf_addr, &buf_size);

			if (rc) {

				CAM_ERR(CAM_EEPROM, "Fail in get buffer: %d",

					rc);

				return rc;

			}

			if (buf_size <= io_cfg->offsets[0]) {

			if (buf_size <= plane_offset) {

				CAM_ERR(CAM_EEPROM, "Not enough buffer");

				cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);

				cam_mem_put_cpu_buf(mem_handle);

				rc = -EINVAL;

				return rc;

			}



			remain_len = buf_size - io_cfg->offsets[0];

			remain_len = buf_size - plane_offset;

			CAM_DBG(CAM_EEPROM, "buf_addr : %pK, buf_size : %zu\n",

				(void *)buf_addr, buf_size);
@@ -1113,16 +1117,16 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl, 
			if (!read_buffer) {

				CAM_ERR(CAM_EEPROM,

					"invalid buffer to copy data");

				cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);

				cam_mem_put_cpu_buf(mem_handle);

				rc = -EINVAL;

				return rc;

			}

			read_buffer += io_cfg->offsets[0];

			read_buffer += plane_offset;



			if (remain_len < e_ctrl->cal_data.num_data) {

				CAM_ERR(CAM_EEPROM,

					"failed to copy, Invalid size");

				cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);

				cam_mem_put_cpu_buf(mem_handle);

				rc = -EINVAL;

				return rc;

			}
@@ -1131,7 +1135,7 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl, 
				e_ctrl->cal_data.num_data);

			memcpy(read_buffer, e_ctrl->cal_data.mapdata,

					e_ctrl->cal_data.num_data);

			cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);

			cam_mem_put_cpu_buf(mem_handle);

		} else {

			CAM_ERR(CAM_EEPROM, "Invalid direction");

			rc = -EINVAL;