Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6a48182a authored by kaiwang's avatar kaiwang Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: sensor: validating the flash initialization parameters 



Copying the flash initialization parameters from userspace memory to
kernel memory and in turn checking for the validity of the flash
initialization parameter pointer sent from userspace.

CRs-Fixed: 2059812
Change-Id: I957c10959108eb08b263d439a9a449b90338b6db
Signed-off-by: default avatarkaiwang <kaiwang@codeaurora.org>
Signed-off-by: default avatarHaibin Liu <haibinl@codeaurora.org>
parent 13f80029

drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c

+37 −14
Original line number Diff line number Diff line
@@ -501,22 +501,17 @@ static int32_t msm_flash_init( 
	return 0;

}



#ifdef CONFIG_COMPAT

static int32_t msm_flash_init_prepare(

	struct msm_flash_ctrl_t *flash_ctrl,

	struct msm_flash_cfg_data_t *flash_data)

{

	return msm_flash_init(flash_ctrl, flash_data);

}

#else

static int32_t msm_flash_init_prepare(

	struct msm_flash_ctrl_t *flash_ctrl,

	struct msm_flash_cfg_data_t *flash_data)

{

#ifdef CONFIG_COMPAT

	struct msm_flash_cfg_data_t flash_data_k;

	struct msm_flash_init_info_t flash_init_info;

	int32_t i = 0;



	if (!is_compat_task()) {

		/*for 64-bit usecase,it need copy the data to local memory*/

		flash_data_k.cfg_type = flash_data->cfg_type;

		for (i = 0; i < MAX_LED_TRIGGERS; i++) {

			flash_data_k.flash_current[i] =
@@ -527,7 +522,7 @@ static int32_t msm_flash_init_prepare( 


		flash_data_k.cfg.flash_init_info = &flash_init_info;

		if (copy_from_user(&flash_init_info,

			(void *)(flash_data->cfg.flash_init_info),

			(void __user *)(flash_data->cfg.flash_init_info),

			sizeof(struct msm_flash_init_info_t))) {

			pr_err("%s copy_from_user failed %d\n",

				__func__, __LINE__);
@@ -535,7 +530,35 @@ static int32_t msm_flash_init_prepare( 
		}

		return msm_flash_init(flash_ctrl, &flash_data_k);

	}

	/*

	 * for 32-bit usecase,it already copy the userspace

	 * data to local memory in msm_flash_subdev_do_ioctl()

	 * so here do not need copy from user

	 */

	return msm_flash_init(flash_ctrl, flash_data);

#else

	struct msm_flash_cfg_data_t flash_data_k;

	struct msm_flash_init_info_t flash_init_info;

	int32_t i = 0;

	flash_data_k.cfg_type = flash_data->cfg_type;

	for (i = 0; i < MAX_LED_TRIGGERS; i++) {

		flash_data_k.flash_current[i] =

			flash_data->flash_current[i];

		flash_data_k.flash_duration[i] =

			flash_data->flash_duration[i];

	}



	flash_data_k.cfg.flash_init_info = &flash_init_info;

	if (copy_from_user(&flash_init_info,

		(void __user *)(flash_data->cfg.flash_init_info),

		sizeof(struct msm_flash_init_info_t))) {

		pr_err("%s copy_from_user failed %d\n",

			__func__, __LINE__);

		return -EFAULT;

	}

	return msm_flash_init(flash_ctrl, &flash_data_k);

#endif

}



static int32_t msm_flash_low(

	struct msm_flash_ctrl_t *flash_ctrl,