Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 45ef48ce authored by Rahul Sharma's avatar Rahul Sharma Committed by Gerrit - the friendly Code Review server
Browse files

msm: ais: sensor: actuator: avoid accessing out of bound memory 



Issue:
When total_steps is updated, after that, copy_from_user
fails with an error, then, i2c_reg_tbl is not allocated.
In this case, when calling msm_actuator_parse_i2c_params,
it lead to out-of-bound memory write.
Fix:
1) Assign total_steps to zero when error from copying.
2) Add NULL pointer check for i2c tbl.
3) Fixing the issue where the function can return
with an error code leaving "a_ctrl->i2c_reg_tbl"
and "a_ctrl->total_steps" out of sync.

Change-Id: Ia01851c8c5fda3a466cada885cae5c0651857b16
Signed-off-by: default avatarRahul Sharma <sharah@codeaurora.org>
parent f38ea00b

drivers/media/platform/msm/ais/sensor/actuator/msm_actuator.c

+20 −3
Original line number Diff line number Diff line
@@ -56,6 +56,10 @@ static int32_t msm_actuator_piezo_set_default_focus( 
	struct msm_camera_i2c_reg_setting reg_setting;



	CDBG("Enter\n");

	if (a_ctrl->i2c_reg_tbl == NULL) {

		pr_err("failed. i2c reg tabl is NULL");

		return -EFAULT;

	}



	if (a_ctrl->curr_step_pos != 0) {

		a_ctrl->i2c_tbl_index = 0;
@@ -539,6 +543,12 @@ static int32_t msm_actuator_piezo_move_focus( 
		return -EFAULT;

	}





	if (a_ctrl->i2c_reg_tbl == NULL) {

		pr_err("failed. i2c reg tabl is NULL");

		return -EFAULT;

	}



	if (dest_step_position > a_ctrl->total_steps) {

		pr_err("Step pos greater than total steps = %d\n",

			dest_step_position);
@@ -596,6 +606,12 @@ static int32_t msm_actuator_move_focus( 
		pr_err("Invalid direction = %d\n", dir);

		return -EFAULT;

	}



	if (a_ctrl->i2c_reg_tbl == NULL) {

		pr_err("failed. i2c reg tabl is NULL");

		return -EFAULT;

	}



	if (dest_step_pos > a_ctrl->total_steps) {

		pr_err("Step pos greater than total steps = %d\n",

		dest_step_pos);
@@ -1179,7 +1195,8 @@ static int32_t msm_actuator_set_position( 
	}



	if (!a_ctrl || !a_ctrl->func_tbl ||

		!a_ctrl->func_tbl->actuator_parse_i2c_params) {

		!a_ctrl->func_tbl->actuator_parse_i2c_params ||

		!a_ctrl->i2c_reg_tbl) {

		pr_err("failed. NULL actuator pointers.");

		return -EFAULT;

	}
@@ -1291,7 +1308,6 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl, 


	a_ctrl->region_size = set_info->af_tuning_params.region_size;

	a_ctrl->pwd_step = set_info->af_tuning_params.pwd_step;

	a_ctrl->total_steps = set_info->af_tuning_params.total_steps;



	if (copy_from_user(&a_ctrl->region_params,

		(void *)set_info->af_tuning_params.region_params,
@@ -1306,7 +1322,6 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl, 
		cci_client->sid =

			set_info->actuator_params.i2c_addr >> 1;

		cci_client->retries = 3;

		cci_client->id_map = 0;

		cci_client->cci_i2c_master = a_ctrl->cci_master;

		cci_client->i2c_freq_mode =

			set_info->actuator_params.i2c_freq_mode;
@@ -1339,6 +1354,8 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl, 
		return -ENOMEM;

	}



	a_ctrl->total_steps = set_info->af_tuning_params.total_steps;



	if (copy_from_user(&a_ctrl->reg_tbl,

		(void *)set_info->actuator_params.reg_tbl_params,

		a_ctrl->reg_tbl_size *