Startseite Erkunden Hilfe
Anmelden
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Quellcode durchsuchen

msm: camera: sensor: Handling race condition in util api

I2C cmd is coming from user space which can be modified due to
access to shared memory. This change scopes the data locally so
as to avoid vulnerability of count being modified by external
means while executing due to being in shared memory.

CRs-Fixed: 3707472
Change-Id: I8a89e23e99b80b089ed4c4cf3098feead752356e
Signed-off-by: Shivi Mangal <[email protected]>
(cherry picked from commit 4e00cc5f9f81bf471d58ee5d6beb210a5326fcff)
Shivi Mangal vor 1 Jahr
Ursprung
e8fb277c8d
Commit
6245be68a9
1 geänderte Dateien mit 10 neuen und 10 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 10 10
      drivers/cam_sensor_module/cam_sensor_utils/cam_sensor_util.c

+ 10 - 10
drivers/cam_sensor_module/cam_sensor_utils/cam_sensor_util.c
Datei anzeigen 

@@ -277,10 +277,11 @@ int32_t cam_sensor_handle_random_write(
 
 	struct list_head **list)
 
 {
 
 	struct i2c_settings_list  *i2c_list;
 
-	int32_t rc = 0, cnt;
 
+	int32_t rc = 0, cnt, payload_count;
 
 
+	payload_count = cam_cmd_i2c_random_wr->header.count;
 
 	i2c_list = cam_sensor_get_i2c_ptr(i2c_reg_settings,
 
-		cam_cmd_i2c_random_wr->header.count);
 
+						payload_count);
 
 	if (i2c_list == NULL ||
 
 		i2c_list->i2c_settings.reg_setting == NULL) {
 
 		CAM_ERR(CAM_SENSOR_UTIL, "Failed in allocating i2c_list");
 
@@ -289,15 +290,14 @@ int32_t cam_sensor_handle_random_write(
 
 
 	*cmd_length_in_bytes = (sizeof(struct i2c_rdwr_header) +
 
 		sizeof(struct i2c_random_wr_payload) *
 
-		(cam_cmd_i2c_random_wr->header.count));
 
+		payload_count);
 
 	i2c_list->op_code = CAM_SENSOR_I2C_WRITE_RANDOM;
 
 	i2c_list->i2c_settings.addr_type =
 
 		cam_cmd_i2c_random_wr->header.addr_type;
 
 	i2c_list->i2c_settings.data_type =
 
 		cam_cmd_i2c_random_wr->header.data_type;
 
 
-	for (cnt = 0; cnt < (cam_cmd_i2c_random_wr->header.count);
 
-		cnt++) {
 
+	for (cnt = 0; cnt < payload_count; cnt++) {
 
 		i2c_list->i2c_settings.reg_setting[cnt].reg_addr =
 
 			cam_cmd_i2c_random_wr->random_wr_payload[cnt].reg_addr;
 
 		i2c_list->i2c_settings.reg_setting[cnt].reg_data =
 
@@ -317,10 +317,11 @@ int32_t cam_sensor_handle_continuous_write(
 
 	struct list_head **list)
 
 {
 
 	struct i2c_settings_list *i2c_list;
 
-	int32_t rc = 0, cnt;
 
+	int32_t rc = 0, cnt, payload_count;
 
 
+	payload_count = cam_cmd_i2c_continuous_wr->header.count;
 
 	i2c_list = cam_sensor_get_i2c_ptr(i2c_reg_settings,
 
-		cam_cmd_i2c_continuous_wr->header.count);
 
+						payload_count);
 
 	if (i2c_list == NULL ||
 
 		i2c_list->i2c_settings.reg_setting == NULL) {
 
 		CAM_ERR(CAM_SENSOR_UTIL, "Failed in allocating i2c_list");
 
@@ -330,7 +331,7 @@ int32_t cam_sensor_handle_continuous_write(
 
 	*cmd_length_in_bytes = (sizeof(struct i2c_rdwr_header) +
 
 		sizeof(cam_cmd_i2c_continuous_wr->reg_addr) +
 
 		sizeof(struct cam_cmd_read) *
 
-		(cam_cmd_i2c_continuous_wr->header.count));
 
+		(payload_count));
 
 	if (cam_cmd_i2c_continuous_wr->header.op_code ==
 
 		CAMERA_SENSOR_I2C_OP_CONT_WR_BRST)
 
 		i2c_list->op_code = CAM_SENSOR_I2C_WRITE_BURST;
 
@@ -347,8 +348,7 @@ int32_t cam_sensor_handle_continuous_write(
 
 	i2c_list->i2c_settings.size =
 
 		cam_cmd_i2c_continuous_wr->header.count;
 
 
-	for (cnt = 0; cnt < (cam_cmd_i2c_continuous_wr->header.count);
 
-		cnt++) {
 
+	for (cnt = 0; cnt < payload_count; cnt++) {
 
 		i2c_list->i2c_settings.reg_setting[cnt].reg_addr =
 
 			cam_cmd_i2c_continuous_wr->reg_addr;
 
 		i2c_list->i2c_settings.reg_setting[cnt].reg_data =