DivestOS/Patches/Linux_CVEs-New/CVE-2016-8478/ANY/0.patch

74 lines
2.8 KiB
Diff
Raw Normal View History

From e3af5e89426f1c8d4e703d415eff5435b925649f Mon Sep 17 00:00:00 2001
From: Benet Clark <benetc@codeaurora.org>
Date: Thu, 10 Nov 2016 17:49:09 -0800
Subject: msm: mdss: Clear compat structures before copying to user
In the compat layer, the temporary structures used to convert
data from 32bit to 64bit structures need to be set to 0 before
being assigned values.
CRs-Fixed: 1088206
Change-Id: I04497bc11e01c3df4beadfd6d9b06ab4321f1723
Signed-off-by: Benet Clark <benetc@codeaurora.org>
---
drivers/video/msm/mdss/mdss_compat_utils.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
index 5ad51dd..a9ab5c1 100644
--- a/drivers/video/msm/mdss/mdss_compat_utils.c
+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
@@ -846,6 +846,7 @@ static int __from_user_pcc_coeff_v17(
return -EFAULT;
}
+ memset(&pcc_cfg_payload, 0, sizeof(pcc_cfg_payload));
pcc_cfg_payload.r.b = pcc_cfg_payload32.r.b;
pcc_cfg_payload.r.g = pcc_cfg_payload32.r.g;
pcc_cfg_payload.r.c = pcc_cfg_payload32.r.c;
@@ -1127,6 +1128,8 @@ static int __from_user_igc_lut_data_v17(
pr_err("failed to copy payload from user for igc\n");
return -EFAULT;
}
+
+ memset(&igc_cfg_payload, 0, sizeof(igc_cfg_payload));
igc_cfg_payload.c0_c1_data = compat_ptr(igc_cfg_payload_32.c0_c1_data);
igc_cfg_payload.c2_data = compat_ptr(igc_cfg_payload_32.c2_data);
igc_cfg_payload.len = igc_cfg_payload_32.len;
@@ -1261,6 +1264,7 @@ static int __from_user_pgc_lut_data_v1_7(
pr_err("failed to copy from user the pgc32 payload\n");
return -EFAULT;
}
+ memset(&pgc_cfg_payload, 0, sizeof(pgc_cfg_payload));
pgc_cfg_payload.c0_data = compat_ptr(pgc_cfg_payload_32.c0_data);
pgc_cfg_payload.c1_data = compat_ptr(pgc_cfg_payload_32.c1_data);
pgc_cfg_payload.c2_data = compat_ptr(pgc_cfg_payload_32.c2_data);
@@ -1470,6 +1474,7 @@ static int __from_user_hist_lut_data_v1_7(
return -EFAULT;
}
+ memset(&hist_lut_cfg_payload, 0, sizeof(hist_lut_cfg_payload));
hist_lut_cfg_payload.len = hist_lut_cfg_payload32.len;
hist_lut_cfg_payload.data = compat_ptr(hist_lut_cfg_payload32.data);
@@ -2024,6 +2029,7 @@ static int __from_user_pa_data_v1_7(
return -EFAULT;
}
+ memset(&pa_cfg_payload, 0, sizeof(pa_cfg_payload));
pa_cfg_payload.mode = pa_cfg_payload32.mode;
pa_cfg_payload.global_hue_adj = pa_cfg_payload32.global_hue_adj;
pa_cfg_payload.global_sat_adj = pa_cfg_payload32.global_sat_adj;
@@ -2280,6 +2286,8 @@ static int __from_user_gamut_cfg_data_v17(
pr_err("failed to copy the gamut payload from userspace\n");
return -EFAULT;
}
+
+ memset(&gamut_cfg_payload, 0, sizeof(gamut_cfg_payload));
gamut_cfg_payload.mode = gamut_cfg_payload32.mode;
for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) {
gamut_cfg_payload.tbl_size[i] =
--
cgit v1.1