evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: sensor: Fix for variable being de-referenced without proper check

Browse source 
Pointer from userspace is de-referenced before the command is checked.
This might cause a crash if the command being sent is not a valid command.
Hence changing the de-reference such that the pointer is accessed after
checking if a valid command is sent from the userspace.

Change-Id: I8db9382dd184f1564176ab45355954dcde8a3ab3
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
This commit is contained in:
Samyukta Mogily 2017-07-11 12:39:04 +05:30
parent 1ccca4730a
commit 6467925a1c
2 changed files with 6 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
drivers/media/platform/msm/ais/sensor/flash/msm_flash.c
View file

@ -1022,13 +1022,13 @@ static long msm_flash_subdev_do_ioctl(
sd = vdev_to_v4l2_subdev(vdev);
u32 = (struct msm_flash_cfg_data_t32 *)arg;
flash_data.cfg_type = u32->cfg_type;
for (i = 0; i < MAX_LED_TRIGGERS; i++) {
flash_data.flash_current[i] = u32->flash_current[i];
flash_data.flash_duration[i] = u32->flash_duration[i];
}
switch (cmd) {
case VIDIOC_MSM_FLASH_CFG32:
flash_data.cfg_type = u32->cfg_type;
for (i = 0; i < MAX_LED_TRIGGERS; i++) {
flash_data.flash_current[i] = u32->flash_current[i];
flash_data.flash_duration[i] = u32->flash_duration[i];
}
cmd = VIDIOC_MSM_FLASH_CFG;
switch (flash_data.cfg_type) {
case CFG_FLASH_OFF:

3
drivers/media/platform/msm/ais/sensor/ois/msm_ois.c
View file

@ -781,11 +781,10 @@ static long msm_ois_subdev_do_ioctl(
u32 = (struct msm_ois_cfg_data32 *)arg;
parg = arg;
ois_data.cfgtype = u32->cfgtype;
switch (cmd) {
case VIDIOC_MSM_OIS_CFG32:
cmd = VIDIOC_MSM_OIS_CFG;
ois_data.cfgtype = u32->cfgtype;
switch (u32->cfgtype) {
case CFG_OIS_CONTROL: