Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 50f424f0 authored by Trishansh Bhardwaj's avatar Trishansh Bhardwaj
Browse files

msm: camera: Do not pass kptr in copy_from_user 



Do not call copy_from_user in ioctl handler if CONFIG_COMPAT
is defined.
In 64 bit kernel and 32 bit userspace, ioctl call invokes
compat_ioctl. First copy_from_user is done in compat_ioctl then
pointer is passed to unlocked_ioctl for actual processing. In
unlocked_ioctl again copy_from_user is called on kernel pointer.

Change-Id: I2334379f48e30b58757f0fe5e238e8df5753eea8
Signed-off-by: default avatarTrishansh Bhardwaj <tbhardwa@codeaurora.org>
parent 5d78c03a

drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c

+13 −8
Original line number Diff line number Diff line
@@ -540,20 +540,24 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd, 
		k_ioctl = *ptr;

		switch (k_ioctl.id) {

		case MSM_CAMERA_BUF_MNGR_IOCTL_ID_GET_BUF_BY_IDX: {

			struct msm_buf_mngr_info buf_info, *tmp = NULL;



			if (k_ioctl.size != sizeof(struct msm_buf_mngr_info))

				return -EINVAL;

			if (!k_ioctl.ioctl_ptr)

				return -EINVAL;

#ifndef CONFIG_COMPAT

			{

				struct msm_buf_mngr_info buf_info, *tmp = NULL;



			MSM_CAM_GET_IOCTL_ARG_PTR(&tmp, &k_ioctl.ioctl_ptr,

				sizeof(tmp));

				MSM_CAM_GET_IOCTL_ARG_PTR(&tmp,

					&k_ioctl.ioctl_ptr, sizeof(tmp));

				if (copy_from_user(&buf_info, tmp,

					sizeof(struct msm_buf_mngr_info))) {

					return -EFAULT;

				}

				k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;

			}

#endif

			argp = &k_ioctl;

			rc = msm_cam_buf_mgr_ops(cmd, argp);

			}
@@ -674,6 +678,7 @@ static long msm_camera_buf_mgr_internal_compat_ioctl(struct file *file, 
			return -EINVAL;

		}

		k_ioctl.ioctl_ptr = (__u64)&buf_info;

		k_ioctl.size = sizeof(struct msm_buf_mngr_info);

		rc = msm_camera_buf_mgr_fetch_buf_info(&buf_info32, &buf_info,

			(unsigned long)tmp_compat_ioctl_ptr);

		if (rc < 0) {