From 2ae1eab54e874553c078e5275421398597401ac9 Mon Sep 17 00:00:00 2001 From: Haibin Liu Date: Wed, 17 May 2017 18:52:30 +0800 Subject: [PATCH] msm: camera: fix untrusted pointer for power down setting When getting power down setting, there is an untrusted pointer from a user space pointer.Need to copy to the kernel space first. CRs-Fixed: 2037398 Bug: 36492827 Change-Id: I64032a96e62ddfeec85eebe984d8ba52754f6148 Signed-off-by: Haibin Liu --- .../platform/msm/camera_v2/sensor/msm_sensor_driver.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c index 87e741b651c4a..5d3c56191e0d4 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c +++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c @@ -407,17 +407,11 @@ static int32_t msm_sensor_create_pd_settings(void *setting, #ifdef CONFIG_COMPAT if (is_compat_task()) { - int i = 0; - struct msm_sensor_power_setting32 *power_setting_iter = - (struct msm_sensor_power_setting32 *)compat_ptr(( - (struct msm_camera_sensor_slave_info32 *)setting)-> - power_setting_array.power_setting); - - for (i = 0; i < size_down; i++) { - pd[i].config_val = power_setting_iter[i].config_val; - pd[i].delay = power_setting_iter[i].delay; - pd[i].seq_type = power_setting_iter[i].seq_type; - pd[i].seq_val = power_setting_iter[i].seq_val; + rc = msm_sensor_get_pw_settings_compat( + pd, pu, size_down); + if (rc < 0) { + pr_err("failed"); + return -EFAULT; } } else #endif