DivestOS/Patches/Linux_CVEs/CVE-2016-8393/ANY/1.patch

62 lines
2.3 KiB
Diff
Raw Normal View History

From fd11eb5c433743c87bebe699604adfd7e7e805cf Mon Sep 17 00:00:00 2001
From: Min Chong <mchong@google.com>
Date: Thu, 13 Oct 2016 09:47:01 -0700
Subject: [PATCH] input: synaptics_dsx: add bounds checks for firmware id
A series of characters between '0' and '9' with a length more than
MAX_FIRMWARE_ID_LEN causes a heap buffer overflow. This is
mitigated by performing a bounds check.
Bug: 31911920
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Signed-off-by: Min Chong <mchong@google.com>
Change-Id: Iaefe92df2610153f2d3e2caa58322ae82cb5b7c2
---
.../touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
index 908693bd26a43..ff82a4f3a55e8 100755
--- a/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
+++ b/drivers/input/touchscreen/synaptics_dsx25/synaptics_dsx_fw_update.c
@@ -16,6 +16,7 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*/
+#include <linux/ctype.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/slab.h>
@@ -2154,15 +2155,15 @@ static int fwu_read_f34_blocks(unsigned short block_cnt, unsigned char cmd)
static int fwu_get_image_firmware_id(unsigned int *fw_id)
{
int retval;
- unsigned char index = 0;
- char *strptr;
char *firmware_id;
struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
if (fwu->img.contains_firmware_id) {
*fw_id = fwu->img.firmware_id;
} else {
- strptr = strnstr(fwu->image_name, "PR", MAX_IMAGE_NAME_LEN);
+ size_t index, max_index;
+ unsigned char *strptr = strnstr(fwu->image_name, "PR", MAX_IMAGE_NAME_LEN);
+
if (!strptr) {
dev_err(rmi4_data->pdev->dev.parent,
"%s: No valid PR number (PRxxxxxxx) "
@@ -2179,7 +2180,11 @@ static int fwu_get_image_firmware_id(unsigned int *fw_id)
__func__);
return -ENOMEM;
}
- while (strptr[index] >= '0' && strptr[index] <= '9') {
+
+ max_index = min((ptrdiff_t)(MAX_FIRMWARE_ID_LEN - 1),
+ &fwu->image_name[MAX_IMAGE_NAME_LEN] - strptr);
+ index = 0;
+ while (index < max_index && isdigit(strptr[index])) {
firmware_id[index] = strptr[index];
index++;
}