DivestOS/Patches/Linux_CVEs/CVE-2015-8939/ANY/0.patch

68 lines
2.1 KiB
Diff
Raw Normal View History

From 884cff808385788fa620833c7e2160a4b98a21da Mon Sep 17 00:00:00 2001
From: raghavendra ambadas <rambad@codeaurora.org>
Date: Mon, 16 Mar 2015 18:10:35 +0530
Subject: msm_fb: display: validate input args of mdp4_argc_process_write_req
A bounds check has to be done for r/g/b stages variables
to avoid undetermined behaviour.
Change-Id: Ibdc96e79b36cf188d4b5c42d8e2d9ece8e9ace8a
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
---
drivers/video/msm/mdp4_util.c | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/drivers/video/msm/mdp4_util.c b/drivers/video/msm/mdp4_util.c
index f8b7f2f..cfcccdb 100644
--- a/drivers/video/msm/mdp4_util.c
+++ b/drivers/video/msm/mdp4_util.c
@@ -2739,19 +2739,42 @@ static int mdp4_argc_process_write_req(uint32_t *offset,
struct mdp_ar_gc_lut_data r[MDP_AR_GC_MAX_STAGES];
struct mdp_ar_gc_lut_data g[MDP_AR_GC_MAX_STAGES];
struct mdp_ar_gc_lut_data b[MDP_AR_GC_MAX_STAGES];
+ uint8_t num_r_stages;
+ uint8_t num_g_stages;
+ uint8_t num_b_stages;
+
+ if (get_user(num_r_stages, &pgc_ptr->num_r_stages)) {
+ pr_err("%s failed: num_r_stages : Invalid arg\n", __func__);
+ return -EFAULT;
+ }
+
+ if (get_user(num_g_stages, &pgc_ptr->num_g_stages)) {
+ pr_err("%s failed: num_g_stages : Invalid arg\n", __func__);
+ return -EFAULT;
+ }
+
+ if (get_user(num_b_stages, &pgc_ptr->num_b_stages)) {
+ pr_err("%s failed: num_b_stages : Invalid arg\n", __func__);
+ return -EFAULT;
+ }
+
+ if ((!num_r_stages || num_r_stages > MDP_AR_GC_MAX_STAGES) ||
+ (!num_g_stages || num_g_stages > MDP_AR_GC_MAX_STAGES) ||
+ (!num_b_stages || num_b_stages > MDP_AR_GC_MAX_STAGES))
+ return -EINVAL;
ret = copy_from_user(&r[0], pgc_ptr->r_data,
- pgc_ptr->num_r_stages * sizeof(struct mdp_ar_gc_lut_data));
+ num_r_stages * sizeof(struct mdp_ar_gc_lut_data));
if (!ret) {
ret = copy_from_user(&g[0],
pgc_ptr->g_data,
- pgc_ptr->num_g_stages
+ num_g_stages
* sizeof(struct mdp_ar_gc_lut_data));
if (!ret)
ret = copy_from_user(&b[0],
pgc_ptr->b_data,
- pgc_ptr->num_b_stages
+ num_b_stages
* sizeof(struct mdp_ar_gc_lut_data));
}
--
cgit v1.1