Null pointer dereference in motion sensor host command |
||||||
Issue description
Some sensor drivers(e.g. baro_bmp280) don't have get_offset and set_offset methods.
But the host command MOTIONSENSE_CMD_SENSOR_OFFSET calls them without checking if they are NULL, and causes EC panic.
What steps will reproduce the problem?
(1) In the shell with root, run ectool motionsense offset ${ID of baro_bmp280 sensor}
,
Sep 4 2017
,
Sep 4 2017
,
Oct 6 2017
,
Jan 4 2018
Also for {get,set}_range
Here's the patch: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/850639
,
Feb 1 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/ec/+/c870c87f2d03556debd854fa816a19a2a43004f4 commit c870c87f2d03556debd854fa816a19a2a43004f4 Author: Alexandru M Stan <amstan@chromium.org> Date: Thu Feb 01 22:55:17 2018 motion_sense: Check presence of {set,get}_{range,offset} Prevents a null pointer dereference when the AP asks the EC for nonexistent settings of a sensor. BUG= chromium:761758 TEST="ectool motionsense offset ${ID of baro_bmp280 sensor}" And see no null pointer dereference, but an invalid command error BRANCH=master Change-Id: I3050feaa3c9752abebc30237dac1befa4e5775cc Signed-off-by: Alexandru M Stan <amstan@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/850639 Reviewed-by: Gwendal Grignou <gwendal@chromium.org> [modify] https://crrev.com/c870c87f2d03556debd854fa816a19a2a43004f4/common/motion_sense.c
,
Feb 1 2018
Merged/fixed. Was about to remove the "empty" methods from als_bh1730.c too (thinking they were added to go around this bug), but it looks like the als driver actually makes decisions based on those methods. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by cheyuw@google.com
, Sep 4 2017