Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d5130389 authored by Haibin Liu's avatar Haibin Liu Committed by TARKZiM
Browse files

msm: sensor: actuator: avoid accessing out of bound memory 



Issue:
When total_steps is updated, after that, copy_from_user
fails with an error, then, i2c_reg_tbl is not allocated.
In this case, when calling msm_actuator_parse_i2c_params,
it lead to out-of-bound memory write.

Fix:
1) Assign total_steps to zero when error from copying.
2) Add NULL pointer check for i2c tbl.

CRs-Fixed: 2111672
Change-Id: Ib9dcb182356e2df8078c131edfd0791fa95a35e0
Signed-off-by: default avatarHaibin Liu <haibinl@codeaurora.org>
Signed-off-by: default avatarVijayaKumar T M <vtmuni@codeaurora.org>
parent 7f70d35e

drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c

+19 −2
Original line number Diff line number Diff line
@@ -86,6 +86,21 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl, 
	uint32_t size = a_ctrl->reg_tbl_size, i = 0;

	struct msm_camera_i2c_reg_array *i2c_tbl = a_ctrl->i2c_reg_tbl;

	CDBG("Enter\n");



	if (a_ctrl == NULL) {

		pr_err("failed. actuator ctrl is NULL");

		return;

	}



	if (a_ctrl->i2c_reg_tbl == NULL) {

		pr_err("failed. i2c reg tabl is NULL");

		return;

	}



	size = a_ctrl->reg_tbl_size;

	write_arr = a_ctrl->reg_tbl;

	i2c_tbl = a_ctrl->i2c_reg_tbl;



	for (i = 0; i < size; i++) {

		/* check that the index into i2c_tbl cannot grow larger that

		the allocated size of i2c_tbl */
@@ -1174,9 +1189,11 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl, 


	if (copy_from_user(&a_ctrl->region_params,

		(void *)set_info->af_tuning_params.region_params,

		a_ctrl->region_size * sizeof(struct region_params_t)))

		a_ctrl->region_size * sizeof(struct region_params_t))) {

		a_ctrl->total_steps = 0;

		pr_err("Error copying region_params\n");

		return -EFAULT;



	}

	if (a_ctrl->act_device_type == MSM_CAMERA_PLATFORM_DEVICE) {

		cci_client = a_ctrl->i2c_client.cci_client;

		cci_client->sid =