samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

msm: camera: sensor: TOCTOU error handling in eeprom

Browse Source 
IO config can be modified due to access to shared memory.
This change scopes the data locally so as to avoid
vulnerability of count being modified by external
means while executing due to being in shared memory.

CRs-Fixed: 3777635
Change-Id: Ia5dd9138dcf8449e2d800aca9ffed73d9c4ba3ea
Signed-off-by: Akash Puliyadi Jegannathan <quic_apuliyad@quicinc.com>
This commit is contained in:
Akash Puliyadi Jegannathan
2024-05-29 14:33:39 +05:30
committed by Sridhar Gujje
parent 6ddbe8dd37
commit 533ee451e6
1 changed files with 12 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
drivers/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
View File

@@ -1087,6 +1087,8 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
{
struct cam_buf_io_cfg *io_cfg;
uint32_t i = 0;
size_t plane_offset;
int32_t mem_handle;
int rc = 0;
uintptr_t buf_addr;
size_t buf_size;
@@ -1096,6 +1098,8 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
io_cfg = (struct cam_buf_io_cfg *) ((uint8_t *)
&csl_packet->payload +
csl_packet->io_configs_offset);
plane_offset = io_cfg->offsets[0];
mem_handle = io_cfg->mem_handle[0];
CAM_DBG(CAM_EEPROM, "number of IO configs: %d:",
csl_packet->num_io_configs);
@@ -1103,21 +1107,21 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
for (i = 0; i < csl_packet->num_io_configs; i++) {
CAM_DBG(CAM_EEPROM, "Direction: %d:", io_cfg->direction);
if (io_cfg->direction == CAM_BUF_OUTPUT) {
rc = cam_mem_get_cpu_buf(io_cfg->mem_handle[0],
rc = cam_mem_get_cpu_buf(mem_handle,
&buf_addr, &buf_size);
if (rc) {
CAM_ERR(CAM_EEPROM, "Fail in get buffer: %d",
rc);
return rc;
}
if (buf_size <= io_cfg->offsets[0]) {
if (buf_size <= plane_offset) {
CAM_ERR(CAM_EEPROM, "Not enough buffer");
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);
cam_mem_put_cpu_buf(mem_handle);
rc = -EINVAL;
return rc;
}
remain_len = buf_size - io_cfg->offsets[0];
remain_len = buf_size - plane_offset;
CAM_DBG(CAM_EEPROM, "buf_addr : %pK, buf_size : %zu\n",
(void *)buf_addr, buf_size);
@@ -1125,16 +1129,16 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
if (!read_buffer) {
CAM_ERR(CAM_EEPROM,
"invalid buffer to copy data");
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);
cam_mem_put_cpu_buf(mem_handle);
rc = -EINVAL;
return rc;
}
read_buffer += io_cfg->offsets[0];
read_buffer += plane_offset;
if (remain_len < e_ctrl->cal_data.num_data) {
CAM_ERR(CAM_EEPROM,
"failed to copy, Invalid size");
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);
cam_mem_put_cpu_buf(mem_handle);
rc = -EINVAL;
return rc;
}
@@ -1143,7 +1147,7 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
e_ctrl->cal_data.num_data);
memcpy(read_buffer, e_ctrl->cal_data.mapdata,
e_ctrl->cal_data.num_data);
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);
cam_mem_put_cpu_buf(mem_handle);
} else {
CAM_ERR(CAM_EEPROM, "Invalid direction");
rc = -EINVAL;