DivestOS/Patches/Linux_CVEs/CVE-2016-10232/3.10/0001.patch

84 lines
2.8 KiB
Diff
Raw Normal View History

From 21e0ead58e47798567d846b84f16f89cf69a57ae Mon Sep 17 00:00:00 2001
From: Shalini Krishnamoorthi <shakri@codeaurora.org>
Date: Thu, 30 Jun 2016 14:00:04 -0700
Subject: msm: mdss: Correct the format specifiers in sscanf function
In many parts of the code the sscanf function was getting
an unsigned integer with a wrong format specifier. Changed
the format specifiers appropriately. Single variable sscanf
were replaced by kstrtouint at reported places.
CRs-Fixed: 1024872
Change-Id: I03ce718b0456d437d31d701586965d0aa7443b51
Signed-off-by: Shalini Krishnamoorthi <shakri@codeaurora.org>
---
drivers/video/msm/mdss/mdss_debug.c | 6 +++---
drivers/video/msm/mdss/mdss_fb.c | 10 +++++-----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
index 1d214ca..525cdbd 100644
--- a/drivers/video/msm/mdss/mdss_debug.c
+++ b/drivers/video/msm/mdss/mdss_debug.c
@@ -78,7 +78,7 @@ static ssize_t panel_debug_base_offset_write(struct file *file,
buf[count] = 0; /* end of string */
- if (sscanf(buf, "%x %x", &off, &cnt) != 2)
+ if (sscanf(buf, "%x %u", &off, &cnt) != 2)
return -EFAULT;
if (off > dbg->max_offset)
@@ -679,11 +679,11 @@ static ssize_t mdss_debug_factor_write(struct file *file,
if (strnchr(buf, count, '/')) {
/* Parsing buf as fraction */
- if (sscanf(buf, "%d/%d", &numer, &denom) != 2)
+ if (sscanf(buf, "%u/%u", &numer, &denom) != 2)
return -EFAULT;
} else {
/* Parsing buf as percentage */
- if (sscanf(buf, "%d", &numer) != 1)
+ if (kstrtouint(buf, 0, &numer))
return -EFAULT;
denom = 100;
}
diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
index 971fde4..ecc35c9 100644
--- a/drivers/video/msm/mdss/mdss_fb.c
+++ b/drivers/video/msm/mdss/mdss_fb.c
@@ -2,7 +2,7 @@
* Core MDSS framebuffer driver.
*
* Copyright (C) 2007 Google Incorporated
- * Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
*
* This software is licensed under the terms of the GNU General Public
* License version 2, as published by the Free Software Foundation, and
@@ -593,8 +593,8 @@ static ssize_t mdss_fb_force_panel_dead(struct device *dev,
return len;
}
- if (sscanf(buf, "%d", &pdata->panel_info.panel_force_dead) != 1)
- pr_err("sccanf buf error!\n");
+ if (kstrtouint(buf, 0, &pdata->panel_info.panel_force_dead))
+ pr_err("kstrtouint buf error\n");
return len;
}
@@ -707,8 +707,8 @@ static ssize_t mdss_fb_change_dfps_mode(struct device *dev,
}
pinfo = &pdata->panel_info;
- if (sscanf(buf, "%d", &dfps_mode) != 1) {
- pr_err("sccanf buf error!\n");
+ if (kstrtouint(buf, 0, &dfps_mode)) {
+ pr_err("kstrtouint buf error\n");
return len;
}
--
cgit v1.1