Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bbc15724 authored by Krishnankutty Kolathappilly's avatar Krishnankutty Kolathappilly Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: cpp: Fix unprotected userspace access 



After enabling KASan, unprotected userspace access causes
a PTE translation fault as it can covers only kernel memory
region. Following is the crash error for the reference.

[  490.361698] BUG: KASan: user-memory-access on address
  00000000f03ff9a8
[  490.368199] Read of size 8 by task CAM_cpp/4309
[  490.372758] Call trace:
[  490.373206]  MSM8996 LowLatency: ASoC: failed to start some
 BEs -19
[  490.381429] [<ffffffc000089ec4>] dump_backtrace+0x0/0x1c4
[  490.386815] [<ffffffc00008a098>] show_stack+0x10/0x1c
[  490.391841] [<ffffffc001138ffc>] dump_stack+0x74/0xc8
[  490.396861] [<ffffffc0002155b8>]
 kasan_report_user_access+0x80/0xa8
[  490.403107] [<ffffffc000214554>] __asan_load8+0x30/0x90
[  490.408305] [<ffffffc000a7e7fc>]
 msm_cpp_subdev_fops_compat_ioctl+0x1330/0x180c
[  490.415631] [<ffffffc0009d5a7c>] v4l2_compat_ioctl32+0xb8/0xe0
[  490.421455] [<ffffffc000283fe4>] compat_SyS_ioctl+0x1ac/0x1a18
[  490.427223] =================================================

Change-Id: Ic5d2502a84f0b8675e8cb3d2d7f29260a1172ed4
Signed-off-by: default avatarKrishnankutty Kolathappilly <kkolatha@codeaurora.org>
parent a956413b

drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c

+21 −18
Original line number Diff line number Diff line
@@ -3484,9 +3484,10 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file, 
	{

		struct msm_cpp_clock_settings32_t *clock_settings32 =

			(struct msm_cpp_clock_settings32_t *)kp_ioctl.ioctl_ptr;

		clock_settings.clock_rate = clock_settings32->clock_rate;

		clock_settings.avg = clock_settings32->avg;

		clock_settings.inst = clock_settings32->inst;

		get_user(clock_settings.clock_rate,

			&clock_settings32->clock_rate);

		get_user(clock_settings.avg, &clock_settings32->avg);

		get_user(clock_settings.inst, &clock_settings32->inst);

		kp_ioctl.ioctl_ptr = (void *)&clock_settings;

		if (is_compat_task()) {

			if (kp_ioctl.len != sizeof(
@@ -3504,25 +3505,27 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file, 
		struct msm_pproc_queue_buf_info32_t *u32_queue_buf =

		  (struct msm_pproc_queue_buf_info32_t *)kp_ioctl.ioctl_ptr;



		k_queue_buf.is_buf_dirty = u32_queue_buf->is_buf_dirty;

		k_queue_buf.buff_mgr_info.session_id =

			u32_queue_buf->buff_mgr_info.session_id;

		k_queue_buf.buff_mgr_info.stream_id =

			u32_queue_buf->buff_mgr_info.stream_id;

		k_queue_buf.buff_mgr_info.frame_id =

			u32_queue_buf->buff_mgr_info.frame_id;

		k_queue_buf.buff_mgr_info.index =

			u32_queue_buf->buff_mgr_info.index;

		k_queue_buf.buff_mgr_info.timestamp.tv_sec =

			u32_queue_buf->buff_mgr_info.timestamp.tv_sec;

		k_queue_buf.buff_mgr_info.timestamp.tv_usec =

			u32_queue_buf->buff_mgr_info.timestamp.tv_usec;

		get_user(k_queue_buf.is_buf_dirty,

			&u32_queue_buf->is_buf_dirty);

		get_user(k_queue_buf.buff_mgr_info.session_id,

			&u32_queue_buf->buff_mgr_info.session_id);

		get_user(k_queue_buf.buff_mgr_info.stream_id,

			&u32_queue_buf->buff_mgr_info.stream_id);

		get_user(k_queue_buf.buff_mgr_info.frame_id,

			&u32_queue_buf->buff_mgr_info.frame_id);

		get_user(k_queue_buf.buff_mgr_info.index,

			&u32_queue_buf->buff_mgr_info.index);

		get_user(k_queue_buf.buff_mgr_info.timestamp.tv_sec,

			&u32_queue_buf->buff_mgr_info.timestamp.tv_sec);

		get_user(k_queue_buf.buff_mgr_info.timestamp.tv_usec,

			&u32_queue_buf->buff_mgr_info.timestamp.tv_usec);



		/*

		 * Update the reserved field (cds information) to buffer

		 * manager structure so that it is propogated back to HAL

		 */

		k_queue_buf.buff_mgr_info.reserved =

			u32_queue_buf->buff_mgr_info.reserved;

		get_user(k_queue_buf.buff_mgr_info.reserved,

			&u32_queue_buf->buff_mgr_info.reserved);



		kp_ioctl.ioctl_ptr = (void *)&k_queue_buf;

		kp_ioctl.len = sizeof(struct msm_pproc_queue_buf_info);