Halaman utama Jelajahi Bantuan
Masuk
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Jelajahi Sumber

msm: camera: sensor: Proper handling of race condition in util api

Power count is coming from user space which can be modified due to
access to shared memory. This change scopes the data locally so
as to avoid vulnerability of count being modified by external
means while executing due to being in shared memory.

CRs-Fixed: 3691744.

Change-Id: I57d13435453195f8aab0c9aad4414d290274ff81
Signed-off-by: Shivi Mangal <[email protected]>
Shivi Mangal 1 tahun lalu
induk
f888f2c3b9
melakukan
0ed9862f09
1 mengubah file dengan 18 tambahan dan 7 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 18 7
      drivers/cam_sensor_module/cam_sensor_utils/cam_sensor_util.c

+ 18 - 7
drivers/cam_sensor_module/cam_sensor_utils/cam_sensor_util.c
Tampilan Berkas 

@@ -1,7 +1,7 @@
 
 // SPDX-License-Identifier: GPL-2.0-only
 
 /*
 
  * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
 
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
 
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
 
  */
 
 
 #include <linux/kernel.h>
 
@@ -1401,22 +1401,29 @@ int32_t cam_sensor_update_power_settings(void *cmd_buf,
 
 	int32_t i = 0, pwr_up = 0, pwr_down = 0;
 
 	struct cam_sensor_power_setting *pwr_settings;
 
 	void *ptr = cmd_buf, *scr;
 
-	struct cam_cmd_power *pwr_cmd = (struct cam_cmd_power *)cmd_buf;
 
 	struct common_header *cmm_hdr = (struct common_header *)cmd_buf;
 
+	struct cam_cmd_power *pwr_cmd =
 
+		kzalloc(sizeof(struct cam_cmd_power), GFP_KERNEL);
 
+	if (!pwr_cmd)
 
+		return -ENOMEM;
 
+	memcpy(pwr_cmd, cmd_buf, sizeof(struct cam_cmd_power));
 
 
 	if (!pwr_cmd || !cmd_length || cmd_buf_len < (size_t)cmd_length ||
 
 		cam_sensor_validate(cmd_buf, cmd_buf_len)) {
 
 		CAM_ERR(CAM_SENSOR_UTIL, "Invalid Args: pwr_cmd %pK, cmd_length: %d",
 
 			pwr_cmd, cmd_length);
 
-		return -EINVAL;
 
+		rc = -EINVAL;
 
+		goto free_power_command;
 
 	}
 
 
 	power_info->power_setting_size = 0;
 
 	power_info->power_setting =
 
 		kzalloc(sizeof(struct cam_sensor_power_setting) *
 
 			MAX_POWER_CONFIG, GFP_KERNEL);
 
-	if (!power_info->power_setting)
 
-		return -ENOMEM;
 
+	if (!power_info->power_setting) {
 
+		rc = -ENOMEM;
 
+		goto free_power_command;
 
+	}
 
 
 	power_info->power_down_setting_size = 0;
 
 	power_info->power_down_setting =
 
@@ -1426,7 +1433,8 @@ int32_t cam_sensor_update_power_settings(void *cmd_buf,
 
 		kfree(power_info->power_setting);
 
 		power_info->power_setting = NULL;
 
 		power_info->power_setting_size = 0;
 
-		return -ENOMEM;
 
+		rc = -ENOMEM;
 
+		goto free_power_command;
 
 	}
 
 
 	while (tot_size < cmd_length) {
 
@@ -1610,7 +1618,7 @@ int32_t cam_sensor_update_power_settings(void *cmd_buf,
 
 		}
 
 	}
 
 
-	return rc;
 
+	goto free_power_command;
 
 free_power_settings:
 
 	kfree(power_info->power_down_setting);
 
 	kfree(power_info->power_setting);
 
@@ -1618,6 +1626,9 @@ free_power_settings:
 
 	power_info->power_setting = NULL;
 
 	power_info->power_down_setting_size = 0;
 
 	power_info->power_setting_size = 0;
 
+free_power_command:
 
+	kfree(pwr_cmd);
 
+	pwr_cmd = NULL;
 
 	return rc;
 
 }