evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: ais: sensor: actuator: avoid accessing out of bound memory

Browse source 
Issue:
When total_steps is updated, after that, copy_from_user
fails with an error, then, i2c_reg_tbl is not allocated.
In this case, when calling msm_actuator_parse_i2c_params,
it lead to out-of-bound memory write.
Fix:
1) Assign total_steps to zero when error from copying.
2) Add NULL pointer check for i2c tbl.
3) Fixing the issue where the function can return
with an error code leaving "a_ctrl->i2c_reg_tbl"
and "a_ctrl->total_steps" out of sync.

Change-Id: Ib46deceb7bd8efff1cb606b894396e7016271dd3
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
This commit is contained in:
Rahul Sharma 2017-12-29 14:01:12 +05:30 committed by Gerrit - the friendly Code Review server
parent b3b1b7012c
commit 4d4fccf24e
1 changed files with 20 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
drivers/media/platform/msm/ais/sensor/actuator/msm_actuator.c
View file

@ -56,6 +56,10 @@ static int32_t msm_actuator_piezo_set_default_focus(
struct msm_camera_i2c_reg_setting reg_setting;
CDBG("Enter\n");
if (a_ctrl->i2c_reg_tbl == NULL) {
pr_err("failed. i2c reg tabl is NULL");
return -EFAULT;
}
if (a_ctrl->curr_step_pos != 0) {
a_ctrl->i2c_tbl_index = 0;
@ -539,6 +543,12 @@ static int32_t msm_actuator_piezo_move_focus(
return -EFAULT;
}
if (a_ctrl->i2c_reg_tbl == NULL) {
pr_err("failed. i2c reg tabl is NULL");
return -EFAULT;
}
if (dest_step_position > a_ctrl->total_steps) {
pr_err("Step pos greater than total steps = %d\n",
dest_step_position);
@ -596,6 +606,12 @@ static int32_t msm_actuator_move_focus(
pr_err("Invalid direction = %d\n", dir);
return -EFAULT;
}
if (a_ctrl->i2c_reg_tbl == NULL) {
pr_err("failed. i2c reg tabl is NULL");
return -EFAULT;
}
if (dest_step_pos > a_ctrl->total_steps) {
pr_err("Step pos greater than total steps = %d\n",
dest_step_pos);
@ -1179,7 +1195,8 @@ static int32_t msm_actuator_set_position(
}
if (!a_ctrl || !a_ctrl->func_tbl ||
!a_ctrl->func_tbl->actuator_parse_i2c_params) {
!a_ctrl->func_tbl->actuator_parse_i2c_params ||
!a_ctrl->i2c_reg_tbl) {
pr_err("failed. NULL actuator pointers.");
return -EFAULT;
}
@ -1291,7 +1308,6 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl,
a_ctrl->region_size = set_info->af_tuning_params.region_size;
a_ctrl->pwd_step = set_info->af_tuning_params.pwd_step;
a_ctrl->total_steps = set_info->af_tuning_params.total_steps;
if (copy_from_user(&a_ctrl->region_params,
(void __user *)set_info->af_tuning_params.region_params,
@ -1305,7 +1321,6 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl,
cci_client->sid =
set_info->actuator_params.i2c_addr >> 1;
cci_client->retries = 3;
cci_client->id_map = 0;
cci_client->cci_i2c_master = a_ctrl->cci_master;
cci_client->i2c_freq_mode =
set_info->actuator_params.i2c_freq_mode;
@ -1338,6 +1353,8 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl,
return -ENOMEM;
}
a_ctrl->total_steps = set_info->af_tuning_params.total_steps;
if (copy_from_user(&a_ctrl->reg_tbl,
(void __user *)set_info->actuator_params.reg_tbl_params,
a_ctrl->reg_tbl_size *