mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
95 lines
3.3 KiB
Diff
95 lines
3.3 KiB
Diff
From f0c0112a6189747a3f24f20210157f9974477e03 Mon Sep 17 00:00:00 2001
|
|
From: Vasko Kalanoski <vaskok@codeaurora.org>
|
|
Date: Fri, 4 Oct 2013 15:28:34 +0300
|
|
Subject: msm: actuator: fix to prevent untrusted pointer to lead DoS
|
|
|
|
fix to prevent untrusted userspace pointer in actuator kernel
|
|
driver to lead DoS
|
|
|
|
Change-Id: I1b64270deb494530d268539e7b420be5ec79b658
|
|
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
|
|
---
|
|
.../msm/camera_v2/sensor/actuator/msm_actuator.c | 26 +++++++++++++++++-----
|
|
1 file changed, 20 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
|
|
index baa2db8..201a011 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
|
|
@@ -196,11 +196,19 @@ static int32_t msm_actuator_piezo_move_focus(
|
|
struct msm_actuator_move_params_t *move_params)
|
|
{
|
|
int32_t dest_step_position = move_params->dest_step_pos;
|
|
+ struct damping_params_t ringing_params_kernel;
|
|
int32_t rc = 0;
|
|
int32_t num_steps = move_params->num_steps;
|
|
struct msm_camera_i2c_reg_setting reg_setting;
|
|
CDBG("Enter\n");
|
|
|
|
+ if (copy_from_user(&ringing_params_kernel,
|
|
+ &(move_params->ringing_params[0]),
|
|
+ sizeof(struct damping_params_t))) {
|
|
+ pr_err("copy_from_user failed\n");
|
|
+ return -EFAULT;
|
|
+ }
|
|
+
|
|
if (num_steps == 0)
|
|
return rc;
|
|
|
|
@@ -208,7 +216,7 @@ static int32_t msm_actuator_piezo_move_focus(
|
|
a_ctrl->func_tbl->actuator_parse_i2c_params(a_ctrl,
|
|
(num_steps *
|
|
a_ctrl->region_params[0].code_per_step),
|
|
- move_params->ringing_params[0].hw_params, 0);
|
|
+ ringing_params_kernel.hw_params, 0);
|
|
|
|
reg_setting.reg_setting = a_ctrl->i2c_reg_tbl;
|
|
reg_setting.data_type = a_ctrl->i2c_data_type;
|
|
@@ -230,6 +238,7 @@ static int32_t msm_actuator_move_focus(
|
|
struct msm_actuator_move_params_t *move_params)
|
|
{
|
|
int32_t rc = 0;
|
|
+ struct damping_params_t ringing_params_kernel;
|
|
int8_t sign_dir = move_params->sign_dir;
|
|
uint16_t step_boundary = 0;
|
|
uint16_t target_step_pos = 0;
|
|
@@ -240,6 +249,14 @@ static int32_t msm_actuator_move_focus(
|
|
int32_t num_steps = move_params->num_steps;
|
|
struct msm_camera_i2c_reg_setting reg_setting;
|
|
|
|
+ if (copy_from_user(&ringing_params_kernel,
|
|
+ &(move_params->ringing_params[a_ctrl->curr_region_index]),
|
|
+ sizeof(struct damping_params_t))) {
|
|
+ pr_err("copy_from_user failed\n");
|
|
+ return -EFAULT;
|
|
+ }
|
|
+
|
|
+
|
|
CDBG("called, dir %d, num_steps %d\n", dir, num_steps);
|
|
|
|
if (dest_step_pos == a_ctrl->curr_step_pos)
|
|
@@ -276,9 +293,7 @@ static int32_t msm_actuator_move_focus(
|
|
a_ctrl->step_position_table[target_step_pos];
|
|
a_ctrl->func_tbl->actuator_write_focus(a_ctrl,
|
|
curr_lens_pos,
|
|
- &(move_params->
|
|
- ringing_params[a_ctrl->
|
|
- curr_region_index]),
|
|
+ &ringing_params_kernel,
|
|
sign_dir,
|
|
target_lens_pos);
|
|
curr_lens_pos = target_lens_pos;
|
|
@@ -289,8 +304,7 @@ static int32_t msm_actuator_move_focus(
|
|
a_ctrl->step_position_table[target_step_pos];
|
|
a_ctrl->func_tbl->actuator_write_focus(a_ctrl,
|
|
curr_lens_pos,
|
|
- &(move_params->ringing_params[a_ctrl->
|
|
- curr_region_index]),
|
|
+ &ringing_params_kernel,
|
|
sign_dir,
|
|
target_lens_pos);
|
|
curr_lens_pos = target_lens_pos;
|
|
--
|
|
cgit v1.1
|
|
|