DivestOS/Patches/Linux_CVEs-New/CVE-2017-7372/ANY/0.patch

128 lines
4.0 KiB
Diff
Raw Normal View History

From 1806be003731d6d4be55e5b940d14ab772839e13 Mon Sep 17 00:00:00 2001
From: Rahul Sharma <sharah@codeaurora.org>
Date: Thu, 19 Jan 2017 17:01:57 +0530
Subject: msm: ba: Fix race conditions in debug writes
Use dynamic allocation for debug buffer instead of static.
This is to avoid race condition which can cause buffer overflows.
Change-Id: I1b4eecb4280843064712ee3b7b52e23f55ab53c3
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
---
drivers/video/msm/ba/msm_ba_debug.c | 58 +++++++++++++++++++++++++------------
1 file changed, 39 insertions(+), 19 deletions(-)
diff --git a/drivers/video/msm/ba/msm_ba_debug.c b/drivers/video/msm/ba/msm_ba_debug.c
index a39a0d3..d41d1ab 100644
--- a/drivers/video/msm/ba/msm_ba_debug.c
+++ b/drivers/video/msm/ba/msm_ba_debug.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2015,2017 The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -13,7 +13,7 @@
#include "msm_ba_debug.h"
-#define MAX_DBG_BUF_SIZE 4096
+#define MAX_DBG_BUF_SIZE 1008
int msm_ba_debug = BA_ERR | BA_WARN;
int msm_ba_debug_out = BA_OUT_PRINTK;
@@ -24,11 +24,9 @@ struct debug_buffer {
u32 filled_size;
};
-static struct debug_buffer dbg_buf;
-
#define INIT_DBG_BUF(__buf) ({ \
- __buf.curr = __buf.ptr;\
- __buf.filled_size = 0; \
+ __buf->curr = __buf->ptr;\
+ __buf->filled_size = 0; \
})
static int dev_info_open(struct inode *inode, struct file *file)
@@ -58,19 +56,30 @@ static ssize_t dev_info_read(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
struct msm_ba_dev *dev_ctxt = file->private_data;
+ struct debug_buffer *dbg_buf = NULL;
+ ssize_t size = 0;
if (!dev_ctxt) {
dprintk(BA_ERR, "Invalid params, dev: 0x%p", dev_ctxt);
return 0;
}
+
+ dbg_buf = kmalloc(sizeof(struct debug_buffer), GFP_KERNEL);
+ if (NULL == dbg_buf)
+ return 0;
+
INIT_DBG_BUF(dbg_buf);
- write_str(&dbg_buf, "===============================");
- write_str(&dbg_buf, "DEV: 0x%p", dev_ctxt);
- write_str(&dbg_buf, "===============================");
- write_str(&dbg_buf, "state: %d", dev_ctxt->state);
+ write_str(dbg_buf, "===============================");
+ write_str(dbg_buf, "DEV: 0x%p", dev_ctxt);
+ write_str(dbg_buf, "===============================");
+ write_str(dbg_buf, "state: %d", dev_ctxt->state);
- return simple_read_from_buffer(buf, count, ppos,
- dbg_buf.ptr, dbg_buf.filled_size);
+ size = simple_read_from_buffer(buf, count, ppos,
+ dbg_buf->ptr, dbg_buf->filled_size);
+
+ kfree(dbg_buf);
+
+ return size;
}
static const struct file_operations dev_info_fops = {
@@ -155,21 +164,32 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
struct msm_ba_inst *inst = file->private_data;
+ struct debug_buffer *dbg_buf = NULL;
+ ssize_t size = 0;
if (!inst) {
dprintk(BA_ERR, "Invalid params, dev: %p", inst);
return 0;
}
+
+ dbg_buf = kmalloc(sizeof(struct debug_buffer), GFP_KERNEL);
+ if (NULL == dbg_buf)
+ return 0;
+
INIT_DBG_BUF(dbg_buf);
- write_str(&dbg_buf, "===============================");
- write_str(&dbg_buf, "INSTANCE: %p (%s)", inst,
+ write_str(dbg_buf, "===============================");
+ write_str(dbg_buf, "INSTANCE: %p (%s)", inst,
"BA device");
- write_str(&dbg_buf, "===============================");
- write_str(&dbg_buf, "dev: %p", inst->dev_ctxt);
- write_str(&dbg_buf, "state: %d", inst->state);
+ write_str(dbg_buf, "===============================");
+ write_str(dbg_buf, "dev: %p", inst->dev_ctxt);
+ write_str(dbg_buf, "state: %d", inst->state);
- return simple_read_from_buffer(buf, count, ppos,
- dbg_buf.ptr, dbg_buf.filled_size);
+ size = simple_read_from_buffer(buf, count, ppos,
+ dbg_buf->ptr, dbg_buf->filled_size);
+
+ kfree(dbg_buf);
+
+ return size;
}
static const struct file_operations inst_info_fops = {
--
cgit v1.1