Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b5f41b05 authored by Manish Poddar's avatar Manish Poddar Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: Lack of copy_from_user in camera driver. 



In msm_copy_camera_private_ioctl_args function in
msm_buf_mgr camera driver arg is pointing to an address
in userspace and not kernel.
Done changes to use copy_from_user to fix it.

Change-Id: Ia9b747dcf86b448656a5d3676455ccb4eccd4e5a
Signed-off-by: default avatarManish Poddar <mpoddar@codeaurora.org>
parent d044c402

drivers/media/platform/msm/camera_v2/msm.c

+11 −7
Original line number Diff line number Diff line
@@ -1104,17 +1104,21 @@ long msm_copy_camera_private_ioctl_args(unsigned long arg, 
	struct msm_camera_private_ioctl_arg *k_ioctl,

	void __user **tmp_compat_ioctl_ptr)

{

	struct msm_camera_private_ioctl_arg *up_ioctl_ptr =

		(struct msm_camera_private_ioctl_arg *)arg;

	struct msm_camera_private_ioctl_arg up_ioctl;



	if (WARN_ON(!arg || !k_ioctl || !tmp_compat_ioctl_ptr))

		return -EIO;



	k_ioctl->id = up_ioctl_ptr->id;

	k_ioctl->size = up_ioctl_ptr->size;

	k_ioctl->result = up_ioctl_ptr->result;

	k_ioctl->reserved = up_ioctl_ptr->reserved;

	*tmp_compat_ioctl_ptr = compat_ptr(up_ioctl_ptr->ioctl_ptr);

	if (copy_from_user(&up_ioctl,

		(struct msm_camera_private_ioctl_arg *)arg,

		sizeof(struct msm_camera_private_ioctl_arg)))

		return -EFAULT;



	k_ioctl->id = up_ioctl.id;

	k_ioctl->size = up_ioctl.size;

	k_ioctl->result = up_ioctl.result;

	k_ioctl->reserved = up_ioctl.reserved;

	*tmp_compat_ioctl_ptr = compat_ptr(up_ioctl.ioctl_ptr);



	return 0;

}