Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 021cacf1 authored by Haibin Liu's avatar Haibin Liu Committed by Gerrit - the friendly Code Review server
Browse files

msm: sensor: actuator: avoid accessing out of bound memory 



Issue:
When total_steps is updated, after that, copy_from_user
fails with an error, then, i2c_reg_tbl is not allocated.
In this case, when calling msm_actuator_parse_i2c_params,
it lead to out-of-bound memory write.

Fix:
1) Assign total_steps to zero when error from copying.
2) Add NULL pointer check for i2c tbl.

CRs-Fixed: 2111672
Change-Id: Ib9dcb182356e2df8078c131edfd0791fa95a35e0
Signed-off-by: default avatarHaibin Liu <haibinl@codeaurora.org>
parent 58cb71ae

drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c

+9 −2
Original line number Diff line number Diff line
@@ -96,6 +96,11 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl, 
		return;

	}



	if (a_ctrl->i2c_reg_tbl == NULL) {

		pr_err("failed. i2c reg tabl is NULL");

		return;

	}



	size = a_ctrl->reg_tbl_size;

	write_arr = a_ctrl->reg_tbl;

	i2c_tbl = a_ctrl->i2c_reg_tbl;
@@ -1278,9 +1283,11 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl, 


	if (copy_from_user(&a_ctrl->region_params,

		(void *)set_info->af_tuning_params.region_params,

		a_ctrl->region_size * sizeof(struct region_params_t)))

		a_ctrl->region_size * sizeof(struct region_params_t))) {

		a_ctrl->total_steps = 0;

		pr_err("Error copying region_params\n");

		return -EFAULT;



	}

	if (a_ctrl->act_device_type == MSM_CAMERA_PLATFORM_DEVICE) {

		cci_client = a_ctrl->i2c_client.cci_client;

		cci_client->sid =