lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge tag 'LA.UM.9.14.r1-24900-LAHAINA.QSSI14.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/camera-kernel into android13-5.4-lahaina

Browse Source 
"LA.UM.9.14.r1-24900-LAHAINA.QSSI14.0"

* tag 'LA.UM.9.14.r1-24900-LAHAINA.QSSI14.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/camera-kernel:
  msm: camera: sensor: TOCTOU error handling in eeprom
  msm: camera: sensor: TOCTOU error handling in eeprom
  msm: camera: sensor: TOCTOU error handling in eeprom
  msm: camera: sensor: TOCTOU error handling in eeprom

Change-Id: I185fde58c627ce0efc41855773e3b7d52075fd39
This commit is contained in:
Michael Bestas 2024-08-05 22:15:53 +03:00
commit 6f41a7e92b
No known key found for this signature in database
GPG Key ID: CC95044519BE6669
1 changed files with 23 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
techpack/camera/drivers/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
View File

@ -424,6 +424,7 @@ static int32_t cam_eeprom_parse_memory_map(
int32_t rc = 0;
int32_t cnt = 0;
int32_t processed_size = 0;
int32_t payload_count;
uint8_t generic_op_code;
struct cam_eeprom_memory_map_t *map = data->map;
struct common_header *cmm_hdr =
@ -453,24 +454,25 @@ static int32_t cam_eeprom_parse_memory_map(
switch (cmm_hdr->cmd_type) {
case CAMERA_SENSOR_CMD_TYPE_I2C_RNDM_WR:
i2c_random_wr = (struct cam_cmd_i2c_random_wr *)cmd_buf;
payload_count = i2c_random_wr->header.count;
if (i2c_random_wr->header.count == 0 ||
i2c_random_wr->header.count >= MSM_EEPROM_MAX_MEM_MAP_CNT ||
if (payload_count == 0 ||
payload_count >= MSM_EEPROM_MAX_MEM_MAP_CNT ||
(size_t)*num_map >= ((MSM_EEPROM_MAX_MEM_MAP_CNT *
MSM_EEPROM_MEMORY_MAP_MAX_SIZE) -
i2c_random_wr->header.count)) {
payload_count)) {
CAM_ERR(CAM_EEPROM, "OOB Error");
return -EINVAL;
}
cmd_length_in_bytes = sizeof(struct cam_cmd_i2c_random_wr) +
((i2c_random_wr->header.count - 1) *
((payload_count - 1) *
sizeof(struct i2c_random_wr_payload));
if (cmd_length_in_bytes > remain_buf_len) {
CAM_ERR(CAM_EEPROM, "Not enough buffer remaining");
return -EINVAL;
}
for (cnt = 0; cnt < (i2c_random_wr->header.count);
for (cnt = 0; cnt < (payload_count);
cnt++) {
map[*num_map + cnt].page.addr =
i2c_random_wr->random_wr_payload[cnt].reg_addr;
@ -483,7 +485,7 @@ static int32_t cam_eeprom_parse_memory_map(
map[*num_map + cnt].page.valid_size = 1;
}
*num_map += (i2c_random_wr->header.count - 1);
*num_map += (payload_count - 1);
cmd_buf += cmd_length_in_bytes / sizeof(int32_t);
processed_size +=
cmd_length_in_bytes;
@ -491,8 +493,9 @@ static int32_t cam_eeprom_parse_memory_map(
case CAMERA_SENSOR_CMD_TYPE_I2C_CONT_RD:
i2c_cont_rd = (struct cam_cmd_i2c_continuous_rd *)cmd_buf;
cmd_length_in_bytes = sizeof(struct cam_cmd_i2c_continuous_rd);
payload_count = i2c_cont_rd->header.count;
if (i2c_cont_rd->header.count >= U32_MAX - data->num_data) {
if (payload_count >= U32_MAX - data->num_data) {
CAM_ERR(CAM_EEPROM,
"int overflow on eeprom memory block");
return -EINVAL;
@ -501,7 +504,7 @@ static int32_t cam_eeprom_parse_memory_map(
map[*num_map].mem.addr_type = i2c_cont_rd->header.addr_type;
map[*num_map].mem.data_type = i2c_cont_rd->header.data_type;
map[*num_map].mem.valid_size =
i2c_cont_rd->header.count;
payload_count;
cmd_buf += cmd_length_in_bytes / sizeof(int32_t);
processed_size +=
cmd_length_in_bytes;
@ -1088,6 +1091,8 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
{
struct cam_buf_io_cfg *io_cfg;
uint32_t i = 0;
size_t plane_offset;
int32_t mem_handle;
int rc = 0;
uintptr_t buf_addr;
size_t buf_size;
@ -1097,6 +1102,8 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
io_cfg = (struct cam_buf_io_cfg *) ((uint8_t *)
&csl_packet->payload +
csl_packet->io_configs_offset);
plane_offset = io_cfg->offsets[0];
mem_handle = io_cfg->mem_handle[0];
CAM_DBG(CAM_EEPROM, "number of IO configs: %d:",
csl_packet->num_io_configs);
@ -1104,21 +1111,21 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
for (i = 0; i < csl_packet->num_io_configs; i++) {
CAM_DBG(CAM_EEPROM, "Direction: %d:", io_cfg->direction);
if (io_cfg->direction == CAM_BUF_OUTPUT) {
rc = cam_mem_get_cpu_buf(io_cfg->mem_handle[0],
rc = cam_mem_get_cpu_buf(mem_handle,
&buf_addr, &buf_size);
if (rc) {
CAM_ERR(CAM_EEPROM, "Fail in get buffer: %d",
rc);
return rc;
}
if (buf_size <= io_cfg->offsets[0]) {
if (buf_size <= plane_offset) {
CAM_ERR(CAM_EEPROM, "Not enough buffer");
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);
cam_mem_put_cpu_buf(mem_handle);
rc = -EINVAL;
return rc;
}
remain_len = buf_size - io_cfg->offsets[0];
remain_len = buf_size - plane_offset;
CAM_DBG(CAM_EEPROM, "buf_addr : %pK, buf_size : %zu\n",
(void *)buf_addr, buf_size);
@ -1126,16 +1133,16 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
if (!read_buffer) {
CAM_ERR(CAM_EEPROM,
"invalid buffer to copy data");
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);
cam_mem_put_cpu_buf(mem_handle);
rc = -EINVAL;
return rc;
}
read_buffer += io_cfg->offsets[0];
read_buffer += plane_offset;
if (remain_len < e_ctrl->cal_data.num_data) {
CAM_ERR(CAM_EEPROM,
"failed to copy, Invalid size");
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);
cam_mem_put_cpu_buf(mem_handle);
rc = -EINVAL;
return rc;
}
@ -1144,7 +1151,7 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
e_ctrl->cal_data.num_data);
memcpy(read_buffer, e_ctrl->cal_data.mapdata,
e_ctrl->cal_data.num_data);
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]);
cam_mem_put_cpu_buf(mem_handle);
} else {
CAM_ERR(CAM_EEPROM, "Invalid direction");
rc = -EINVAL;