From 88ad6090d3bef22c2330f7c068f24bad73e0b220 Mon Sep 17 00:00:00 2001 From: Manish Poddar Date: Fri, 9 Dec 2016 11:54:37 +0530 Subject: msm: camera: Lack of copy_from_user in camera driver. In msm_copy_camera_private_ioctl_args function in msm_buf_mgr camera driver arg is pointing to an address in userspace and not kernel. Done changes to use copy_from_user to fix it. Change-Id: Ia9b747dcf86b448656a5d3676455ccb4eccd4e5a Signed-off-by: Manish Poddar --- drivers/media/platform/msm/camera_v2/msm.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/drivers/media/platform/msm/camera_v2/msm.c b/drivers/media/platform/msm/camera_v2/msm.c index 5cf5582b55ab..c2b42a854d35 100644 --- a/drivers/media/platform/msm/camera_v2/msm.c +++ b/drivers/media/platform/msm/camera_v2/msm.c @@ -1119,17 +1119,21 @@ long msm_copy_camera_private_ioctl_args(unsigned long arg, struct msm_camera_private_ioctl_arg *k_ioctl, void __user **tmp_compat_ioctl_ptr) { - struct msm_camera_private_ioctl_arg *up_ioctl_ptr = - (struct msm_camera_private_ioctl_arg *)arg; + struct msm_camera_private_ioctl_arg up_ioctl; if (WARN_ON(!arg || !k_ioctl || !tmp_compat_ioctl_ptr)) return -EIO; - k_ioctl->id = up_ioctl_ptr->id; - k_ioctl->size = up_ioctl_ptr->size; - k_ioctl->result = up_ioctl_ptr->result; - k_ioctl->reserved = up_ioctl_ptr->reserved; - *tmp_compat_ioctl_ptr = compat_ptr(up_ioctl_ptr->ioctl_ptr); + if (copy_from_user(&up_ioctl, + (struct msm_camera_private_ioctl_arg *)arg, + sizeof(struct msm_camera_private_ioctl_arg))) + return -EFAULT; + + k_ioctl->id = up_ioctl.id; + k_ioctl->size = up_ioctl.size; + k_ioctl->result = up_ioctl.result; + k_ioctl->reserved = up_ioctl.reserved; + *tmp_compat_ioctl_ptr = compat_ptr(up_ioctl.ioctl_ptr); return 0; } -- cgit v1.2.3