mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
204 lines
7.0 KiB
Diff
204 lines
7.0 KiB
Diff
|
From 36503d639cedcc73880974ed92132247576e72ba Mon Sep 17 00:00:00 2001
|
||
|
From: Sreelakshmi Gownipalli <sgownipa@codeaurora.org>
|
||
|
Date: Tue, 14 Jan 2014 16:54:46 -0800
|
||
|
Subject: diag: Fix for diag debugfs buffer overflow
|
||
|
|
||
|
Diag debugfs buffer has potential buffer overflow scenario which can cause
|
||
|
memory corruption. Added safeguard to prevent this.
|
||
|
|
||
|
Crs-fixed: 585147
|
||
|
Change-Id: Ie1f099bb4bb626adff99ae225966aef70c1bc15e
|
||
|
Signed-off-by: Sreelakshmi Gownipalli <sgownipa@codeaurora.org>
|
||
|
---
|
||
|
drivers/char/diag/diag_debugfs.c | 44 +++++++++++++++++++++++++---------------
|
||
|
1 file changed, 28 insertions(+), 16 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/char/diag/diag_debugfs.c b/drivers/char/diag/diag_debugfs.c
|
||
|
index d63d34b..96c0fa0 100644
|
||
|
--- a/drivers/char/diag/diag_debugfs.c
|
||
|
+++ b/drivers/char/diag/diag_debugfs.c
|
||
|
@@ -1,4 +1,4 @@
|
||
|
-/* Copyright (c) 2011-2013, The Linux Foundation. All rights reserved.
|
||
|
+/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
|
||
|
*
|
||
|
* This program is free software; you can redistribute it and/or modify
|
||
|
* it under the terms of the GNU General Public License version 2 and
|
||
|
@@ -33,14 +33,14 @@ static ssize_t diag_dbgfs_read_status(struct file *file, char __user *ubuf,
|
||
|
{
|
||
|
char *buf;
|
||
|
int ret;
|
||
|
-
|
||
|
+ unsigned int buf_size;
|
||
|
buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
|
||
|
if (!buf) {
|
||
|
pr_err("diag: %s, Error allocating memory\n", __func__);
|
||
|
return -ENOMEM;
|
||
|
}
|
||
|
-
|
||
|
- ret = scnprintf(buf, DEBUG_BUF_SIZE,
|
||
|
+ buf_size = ksize(buf);
|
||
|
+ ret = scnprintf(buf, buf_size,
|
||
|
"modem ch: 0x%p\n"
|
||
|
"lpass ch: 0x%p\n"
|
||
|
"riva ch: 0x%p\n"
|
||
|
@@ -183,7 +183,7 @@ static ssize_t diag_dbgfs_read_status(struct file *file, char __user *ubuf,
|
||
|
driver->real_time_mode);
|
||
|
|
||
|
#ifdef CONFIG_DIAG_OVER_USB
|
||
|
- ret += scnprintf(buf+ret, DEBUG_BUF_SIZE,
|
||
|
+ ret += scnprintf(buf+ret, buf_size-ret,
|
||
|
"usb_connected: %d\n",
|
||
|
driver->usb_connected);
|
||
|
#endif
|
||
|
@@ -200,7 +200,8 @@ static ssize_t diag_dbgfs_read_dcistats(struct file *file,
|
||
|
unsigned int bytes_remaining, bytes_written = 0;
|
||
|
unsigned int bytes_in_buf = 0, i = 0;
|
||
|
struct diag_dci_data_info *temp_data = dci_data_smd;
|
||
|
- int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
|
||
|
+ unsigned int buf_size;
|
||
|
+ buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
|
||
|
|
||
|
if (diag_dbgfs_dci_finished) {
|
||
|
diag_dbgfs_dci_finished = 0;
|
||
|
@@ -213,6 +214,7 @@ static ssize_t diag_dbgfs_read_dcistats(struct file *file,
|
||
|
return -ENOMEM;
|
||
|
}
|
||
|
|
||
|
+ buf_size = ksize(buf);
|
||
|
bytes_remaining = buf_size;
|
||
|
|
||
|
if (diag_dbgfs_dci_data_index == 0) {
|
||
|
@@ -281,6 +283,7 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file,
|
||
|
{
|
||
|
char *buf;
|
||
|
int ret;
|
||
|
+ unsigned int buf_size;
|
||
|
|
||
|
buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
|
||
|
if (!buf) {
|
||
|
@@ -288,7 +291,8 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file,
|
||
|
return -ENOMEM;
|
||
|
}
|
||
|
|
||
|
- ret = scnprintf(buf, DEBUG_BUF_SIZE,
|
||
|
+ buf_size = ksize(buf);
|
||
|
+ ret = scnprintf(buf, buf_size,
|
||
|
"Pending status for work_stucts:\n"
|
||
|
"diag_drain_work: %d\n"
|
||
|
"Modem data diag_read_smd_work: %d\n"
|
||
|
@@ -336,7 +340,7 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file,
|
||
|
diag_notify_update_smd_work)));
|
||
|
|
||
|
#ifdef CONFIG_DIAG_OVER_USB
|
||
|
- ret += scnprintf(buf+ret, DEBUG_BUF_SIZE,
|
||
|
+ ret += scnprintf(buf+ret, buf_size-ret,
|
||
|
"diag_proc_hdlc_work: %d\n"
|
||
|
"diag_read_work: %d\n",
|
||
|
work_pending(&(driver->diag_proc_hdlc_work)),
|
||
|
@@ -357,7 +361,8 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
|
||
|
unsigned int bytes_remaining;
|
||
|
unsigned int bytes_in_buffer = 0;
|
||
|
unsigned int bytes_written;
|
||
|
- int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
|
||
|
+ unsigned int buf_size;
|
||
|
+ buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
|
||
|
|
||
|
if (diag_dbgfs_table_index >= diag_max_reg) {
|
||
|
/* Done. Reset to prepare for future requests */
|
||
|
@@ -370,7 +375,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
|
||
|
pr_err("diag: %s, Error allocating memory\n", __func__);
|
||
|
return -ENOMEM;
|
||
|
}
|
||
|
-
|
||
|
+ buf_size = ksize(buf);
|
||
|
bytes_remaining = buf_size;
|
||
|
|
||
|
if (diag_dbgfs_table_index == 0) {
|
||
|
@@ -379,6 +384,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
|
||
|
"WCNSS: %d, APPS: %d\n",
|
||
|
MODEM_DATA, LPASS_DATA, WCNSS_DATA, APPS_DATA);
|
||
|
bytes_in_buffer += bytes_written;
|
||
|
+ bytes_remaining -= bytes_written;
|
||
|
}
|
||
|
|
||
|
for (i = diag_dbgfs_table_index; i < diag_max_reg; i++) {
|
||
|
@@ -422,14 +428,15 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
|
||
|
{
|
||
|
char *buf = NULL;
|
||
|
int ret = 0, i = 0;
|
||
|
-
|
||
|
+ unsigned int buf_size;
|
||
|
buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
|
||
|
if (ZERO_OR_NULL_PTR(buf)) {
|
||
|
pr_err("diag: %s, Error allocating memory\n", __func__);
|
||
|
return -ENOMEM;
|
||
|
}
|
||
|
+ buf_size = ksize(buf);
|
||
|
|
||
|
- ret = scnprintf(buf, DEBUG_BUF_SIZE,
|
||
|
+ ret = scnprintf(buf, buf_size,
|
||
|
"POOL_TYPE_COPY: [0x%p : 0x%p] count = %d\n"
|
||
|
"POOL_TYPE_HDLC: [0x%p : 0x%p] count = %d\n"
|
||
|
"POOL_TYPE_USER: [0x%p : 0x%p] count = %d\n"
|
||
|
@@ -454,7 +461,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
|
||
|
for (i = 0; i < MAX_HSIC_CH; i++) {
|
||
|
if (!diag_hsic[i].hsic_inited)
|
||
|
continue;
|
||
|
- ret += scnprintf(buf+ret, DEBUG_BUF_SIZE-ret,
|
||
|
+ ret += scnprintf(buf+ret, buf_size-ret,
|
||
|
"POOL_TYPE_HSIC_%d: [0x%p : 0x%p] count = %d\n",
|
||
|
i+1,
|
||
|
diag_hsic[i].diag_hsic_pool,
|
||
|
@@ -465,7 +472,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
|
||
|
for (i = 0; i < MAX_HSIC_CH; i++) {
|
||
|
if (!diag_hsic[i].hsic_inited)
|
||
|
continue;
|
||
|
- ret += scnprintf(buf+ret, DEBUG_BUF_SIZE-ret,
|
||
|
+ ret += scnprintf(buf+ret, buf_size-ret,
|
||
|
"POOL_TYPE_HSIC_%d_WRITE: [0x%p : 0x%p] count = %d\n",
|
||
|
i+1,
|
||
|
diag_hsic[i].diag_hsic_write_pool,
|
||
|
@@ -484,6 +491,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
|
||
|
{
|
||
|
char *buf = NULL;
|
||
|
int ret = 0;
|
||
|
+ unsigned int buf_size;
|
||
|
|
||
|
buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);
|
||
|
if (ZERO_OR_NULL_PTR(buf)) {
|
||
|
@@ -491,7 +499,8 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf,
|
||
|
return -ENOMEM;
|
||
|
}
|
||
|
|
||
|
- ret = scnprintf(buf, DEBUG_BUF_SIZE,
|
||
|
+ buf_size = ksize(buf);
|
||
|
+ ret = scnprintf(buf, buf_size,
|
||
|
"POOL_TYPE_COPY: [0x%p : 0x%p] count = %d\n"
|
||
|
"POOL_TYPE_HDLC: [0x%p : 0x%p] count = %d\n"
|
||
|
"POOL_TYPE_USER: [0x%p : 0x%p] count = %d\n"
|
||
|
@@ -530,10 +539,12 @@ static ssize_t diag_dbgfs_read_bridge(struct file *file, char __user *ubuf,
|
||
|
unsigned int bytes_remaining;
|
||
|
unsigned int bytes_in_buffer = 0;
|
||
|
unsigned int bytes_written;
|
||
|
- int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
|
||
|
+ unsigned int buf_size;
|
||
|
int bytes_hsic_inited = 45;
|
||
|
int bytes_hsic_not_inited = 410;
|
||
|
|
||
|
+ buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;
|
||
|
+
|
||
|
if (diag_dbgfs_finished) {
|
||
|
diag_dbgfs_finished = 0;
|
||
|
return 0;
|
||
|
@@ -545,6 +556,7 @@ static ssize_t diag_dbgfs_read_bridge(struct file *file, char __user *ubuf,
|
||
|
return -ENOMEM;
|
||
|
}
|
||
|
|
||
|
+ buf_size = ksize(buf);
|
||
|
bytes_remaining = buf_size;
|
||
|
|
||
|
/* Only one smux for now */
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|