From a1eae7800eb73b76fb604d5510cbc42a5265be86 Mon Sep 17 00:00:00 2001
From: Adrian Salido-Moreno <adrianm@codeaurora.org>
Date: Thu, 14 Apr 2016 17:47:26 -0700
Subject: [PATCH] msm: mdss: fix possible out-of-bounds and overflow issue in
 mdp debugfs

There are few cases where the count argument passed by the user
space is not validated, which can potentially lead to out of bounds
or overflow issues. In some cases, kernel might copy more data than
what is requested. Add necessary checks to avoid such cases.

BUG=27407629
BUG=27407865

Change-Id: I32ccccce3179346fd261ffc5b3a379230e7b413f
---
 drivers/video/msm/mdss/mdss_debug.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
index 13fba269852e..b98740bb3860 100644
--- a/drivers/video/msm/mdss/mdss_debug.c
+++ b/drivers/video/msm/mdss/mdss_debug.c
@@ -104,7 +104,7 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
 {
 	struct mdss_debug_base *dbg = file->private_data;
 	int len = 0;
-	char buf[24];
+	char buf[24] = {'\0'};
 
 	if (!dbg)
 		return -ENODEV;
@@ -113,10 +113,10 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
 		return 0;	/* the end */
 
 	len = snprintf(buf, sizeof(buf), "0x%08x %x\n", dbg->off, dbg->cnt);
-	if (len < 0)
+	if (len < 0 || len >= sizeof(buf))
 		return 0;
 
-	if (copy_to_user(buff, buf, len))
+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
 		return -EFAULT;
 
 	*ppos += len;	/* increase offset */
-- 
GitLab