msm: camera: ois: Prevent direct access to userspace memories

Privileged Access Never prevent the kernel driver from accessing
userspace addresses, which this particular procedure did.

Fix this by using copy_to_user function for this procedure instead
and while we're at it, directly use the settings pointer rather
than going through set_info hoops

Change-Id: Ia06e1fa93e5f659241548b11e43b57588a6bd8f4
Signed-off-by: Angga Satya Putra <anggasp@hotmail.com>

1 files changed, 12 insertions, 6 deletions

diff --git a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
index d3d48b0bbe4c..478ef5b7038d 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
@@ -456,13 +456,19 @@ static int32_t msm_ois_control(struct msm_ois_ctrl_t *o_ctrl,
 			settings);
 
 		for (i = 0; i < set_info->ois_params.setting_size; i++) {
-			if (set_info->ois_params.settings[i].i2c_operation
-				== MSM_OIS_READ) {
-				set_info->ois_params.settings[i].reg_data =
-					settings[i].reg_data;
+			if (settings[i].i2c_operation == MSM_OIS_READ) {
+				if (copy_to_user(
+					(void __user *)
+					(&set_info->ois_params.settings[i].reg_data),
+					&settings[i].reg_data,
+					sizeof(struct reg_settings_ois_t))) {
+					kfree(settings);
+					pr_err("Error copying\n");
+					return -EFAULT;
+				}
 				CDBG("ois_data at addr 0x%x is 0x%x",
-				set_info->ois_params.settings[i].reg_addr,
-				set_info->ois_params.settings[i].reg_data);
+				settings[i].reg_addr,
+				settings[i].reg_data);
 			}
 		}