From cdedf5d97b946b03390d41ba796b818e5c7f4ee9 Mon Sep 17 00:00:00 2001 From: Adrian Salido-Moreno <adrianm@codeaurora.org> Date: Fri, 15 Apr 2016 09:19:59 -0700 Subject: [PATCH] msm: mdss: fix possible out-of-bounds and overflow issue in mdp debugfs There are few cases where the count argument passed by the user space is not validated, which can potentially lead to out of bounds or overflow issues. In some cases, kernel might copy more data than what is requested. Add necessary checks to avoid such cases. BUG=27407629 BUG=27407865 Change-Id: Ief031297961b812163cdfaf5146615b3ee67de46 --- drivers/video/msm/mdss/mdss_debug.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c index ac4d56180294..9c9bf87b1396 100644 --- a/drivers/video/msm/mdss/mdss_debug.c +++ b/drivers/video/msm/mdss/mdss_debug.c @@ -106,7 +106,7 @@ static ssize_t mdss_debug_base_offset_read(struct file *file, { struct mdss_debug_base *dbg = file->private_data; int len = 0; - char buf[24]; + char buf[24] = {'\0'}; if (!dbg) return -ENODEV; @@ -115,10 +115,10 @@ static ssize_t mdss_debug_base_offset_read(struct file *file, return 0; /* the end */ len = snprintf(buf, sizeof(buf), "0x%08zx %zx\n", dbg->off, dbg->cnt); - if (len < 0) + if (len < 0 || len >= sizeof(buf)) return 0; - if (copy_to_user(buff, buf, len)) + if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) return -EFAULT; *ppos += len; /* increase offset */ @@ -529,7 +529,7 @@ static ssize_t mdss_debug_factor_read(struct file *file, { struct mdss_fudge_factor *factor = file->private_data; int len = 0; - char buf[32]; + char buf[32] = {'\0'}; if (!factor) return -ENODEV; @@ -539,10 +539,10 @@ static ssize_t mdss_debug_factor_read(struct file *file, len = snprintf(buf, sizeof(buf), "%d/%d\n", factor->numer, factor->denom); - if (len < 0) + if (len < 0 || len >= sizeof(buf)) return 0; - if (copy_to_user(buff, buf, len)) + if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) return -EFAULT; *ppos += len; /* increase offset */ -- GitLab