DivestOS/Patches/Linux_CVEs/CVE-2017-9719/ANY/0002.patch

From d815f54f15d765b5e0035a9d208d71567bcaace0 Mon Sep 17 00:00:00 2001
From: zhaoyuan <yzhao@codeaurora.org>
Date: Mon, 20 Feb 2017 13:42:20 +0800
Subject: msm: mdss: hdmi: check up-bound of CEC frame size

the spec says the frame size will not be greater than
14, but this have a security hole when somebody sends
a message with a size greater than 14. So need check
up-boud of the CEC frame size.

Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f
Signed-off-by: zhaoyuan <yzhao@codeaurora.org>
---
 drivers/video/fbdev/msm/mdss_hdmi_cec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/video/fbdev/msm/mdss_hdmi_cec.c b/drivers/video/fbdev/msm/mdss_hdmi_cec.c
index a424d98..a4ed012 100644
--- a/drivers/video/fbdev/msm/mdss_hdmi_cec.c
+++ b/drivers/video/fbdev/msm/mdss_hdmi_cec.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -196,7 +196,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
 		msg.sender_id, msg.recvr_id,
 		msg.frame_size);
 
-	if (msg.frame_size < 1) {
+	if (msg.frame_size < 1 || msg.frame_size > MAX_CEC_FRAME_SIZE) {
 		DEV_ERR("%s: invalid message (frame length = %d)\n",
 			__func__, msg.frame_size);
 		return;
@@ -216,7 +216,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
 		msg.operand[i] = data & 0xFF;
 	}
 
-	for (; i < 14; i++)
+	for (; i < MAX_OPERAND_SIZE; i++)
 		msg.operand[i] = 0;
 
 	DEV_DBG("%s: opcode 0x%x, wakup_en %d, device_suspend %d\n", __func__,
-- 
cgit v1.1
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`From d815f54f15d765b5e0035a9d208d71567bcaace0 Mon Sep 17 00:00:00 2001`
			`From: zhaoyuan <yzhao@codeaurora.org>`
			`Date: Mon, 20 Feb 2017 13:42:20 +0800`
			`Subject: msm: mdss: hdmi: check up-bound of CEC frame size`

			`the spec says the frame size will not be greater than`
			`14, but this have a security hole when somebody sends`
			`a message with a size greater than 14. So need check`
			`up-boud of the CEC frame size.`

			`Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f`
			`Signed-off-by: zhaoyuan <yzhao@codeaurora.org>`
			`---`
			`drivers/video/fbdev/msm/mdss_hdmi_cec.c \| 6 +++---`
			`1 file changed, 3 insertions(+), 3 deletions(-)`

			`diff --git a/drivers/video/fbdev/msm/mdss_hdmi_cec.c b/drivers/video/fbdev/msm/mdss_hdmi_cec.c`
			`index a424d98..a4ed012 100644`
			`--- a/drivers/video/fbdev/msm/mdss_hdmi_cec.c`
			`+++ b/drivers/video/fbdev/msm/mdss_hdmi_cec.c`
			`@@ -1,4 +1,4 @@`
			`-/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.`
			`+/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License version 2 and`
			`@@ -196,7 +196,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)`
			`msg.sender_id, msg.recvr_id,`
			`msg.frame_size);`

			`- if (msg.frame_size < 1) {`
			`+ if (msg.frame_size < 1 \|\| msg.frame_size > MAX_CEC_FRAME_SIZE) {`
			`DEV_ERR("%s: invalid message (frame length = %d)\n",`
			`__func__, msg.frame_size);`
			`return;`
			`@@ -216,7 +216,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)`
			`msg.operand[i] = data & 0xFF;`
			`}`

			`- for (; i < 14; i++)`
			`+ for (; i < MAX_OPERAND_SIZE; i++)`
			`msg.operand[i] = 0;`

			`DEV_DBG("%s: opcode 0x%x, wakup_en %d, device_suspend %d\n", __func__,`
			`--`
			`cgit v1.1`