Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 85966610 authored by Rajakumar Govindaram's avatar Rajakumar Govindaram Committed by Krishnankutty Kolathappilly
Browse files

msm: camera2: cpp: Avoid incorrect argument access in IOCTL 



The command MSM_SD_SHUTDOWN is used for internal sub-devices
communication from camera node. The argument in this command
is different from other commands. This change handles the
command MSM_SD_SHUTDOWN separately from other commands for
input argument validation.

BUG: KASan: out of bounds on stack in
 msm_cpp_subdev_ioctl+0xf8/0x17d4 at addr ffffffc052e2f9c8
Read of size 8 by task mm-qcamera-daem/868
page:ffffffbb07d36be8 count:0 mapcount:0 mapping:
(null) index:0x0 flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 2 PID: 868 Comm: mm-qcamera-daem Tainted:
 G        W      3.18.0-g4d43ecd-dirty #5
Hardware name: Qualcomm Technologies, Inc.
 MSM 8996 v2 + PMI8994 MTP (DT)
Call trace:
[<ffffffc000089c70>] dump_backtrace+0x0/0x1c4
[<ffffffc000089e44>] show_stack+0x10/0x1c
[<ffffffc0010cadfc>] dump_stack+0x74/0xc8
[<ffffffc00020e360>] kasan_report_error+0x2ac/0x3d0
[<ffffffc00020e560>] kasan_report+0x34/0x40
[<ffffffc00020d520>] __asan_load8+0x84/0x90
[<ffffffc000a281f4>] msm_cpp_subdev_ioctl+0xf4/0x17d4
[<ffffffc0009edb3c>] msm_close+0x16c/0x274
[<ffffffc0009645b4>] v4l2_release+0x44/0xa8
[<ffffffc0002194c8>] __fput+0x17c/0x2a4
[<ffffffc000219650>] ____fput+0x8/0x14
[<ffffffc0000ce140>] task_work_run+0x100/0x138
[<ffffffc0000ab054>] do_exit+0x64c/0xdcc
[<ffffffc0000ace98>] do_group_exit+0x84/0x120
[<ffffffc0000bc288>] get_signal+0x6f8/0x750
[<ffffffc000088e34>] do_signal+0x118/0x700
[<ffffffc00008971c>] do_notify_resume+0x14/0x6c
Memory state around the buggy address:
 ffffffc052e2f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc052e2f900: 00 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
>ffffffc052e2f980: 00 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00
                                              ^
 ffffffc052e2fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc052e2fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Change-Id: Ia4b69c29ab6cb36e7a1f477fd0e08ce0884aacb6
Signed-off-by: default avatarRajakumar Govindaram <rajakuma@codeaurora.org>
Signed-off-by: default avatarKrishnankutty Kolathappilly <kkolatha@codeaurora.org>
parent f47b4920
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment