From 1e498718d20252bbedeae3a65a32ab8eeabb4406 Mon Sep 17 00:00:00 2001
From: Tanvi Aggarwal <tanvia@codeaurora.org>
Date: Wed, 21 Jun 2017 17:11:12 +0530
Subject: msm-camera: sensor: Fixing kernel crash during i2c read

When userspace uses ioctl(), kernel should get the data from
userpsace through copy_from_user() or get_user() and send it
back to userpsace though copy_to_user() or put_user().
In this case, kernel is not using put_user or copy_to_user
which is leading to a crash during I2C read when it tries to
access memory.

CRs-Fixed: 2058381
Change-Id: Ie5596b62cb589ee048e54f37c7e6beda0d62cad5
Signed-off-by: Tanvi Aggarwal <tanvia@codeaurora.org>
---
 drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

(limited to 'drivers/media')

diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c
index e1143c356721..fcef05374098 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -584,7 +584,12 @@ static int msm_sensor_config32(struct msm_sensor_ctrl_t *s_ctrl,
 			pr_err("%s:%d: i2c_read failed\n", __func__, __LINE__);
 			break;
 		}
-		read_config_ptr->data = local_data;
+		if (copy_to_user(&read_config_ptr->data,
+				&local_data, sizeof(local_data))) {
+			pr_err("%s:%d failed\n", __func__, __LINE__);
+			rc = -EFAULT;
+			break;
+		}
 		break;
 	}
 	case CFG_SLAVE_WRITE_I2C_ARRAY: {
@@ -1098,7 +1103,12 @@ int msm_sensor_config(struct msm_sensor_ctrl_t *s_ctrl, void __user *argp)
 			pr_err("%s:%d: i2c_read failed\n", __func__, __LINE__);
 			break;
 		}
-		read_config_ptr->data = local_data;
+		if (copy_to_user(&read_config_ptr->data,
+				&local_data, sizeof(local_data))) {
+			pr_err("%s:%d failed\n", __func__, __LINE__);
+			rc = -EFAULT;
+			break;
+		}
 		break;
 	}
 	case CFG_SLAVE_WRITE_I2C_ARRAY: {
-- 
cgit v1.2.3