mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-20 21:34:24 -05:00
55 lines
1.8 KiB
Diff
55 lines
1.8 KiB
Diff
|
From 47918a436fa424a5eb81afc6a9eae6ad91b8b366 Mon Sep 17 00:00:00 2001
|
||
|
From: Srinivas Girigowda <sgirigow@codeaurora.org>
|
||
|
Date: Wed, 1 Feb 2017 11:49:43 -0800
|
||
|
Subject: [PATCH] qcacld-2.0: Do not copy buffer to user-space if diag read
|
||
|
fails
|
||
|
|
||
|
ATH diag procfs read is copying read_buffer to user space
|
||
|
unconditionally, causing kernel heap information leak of
|
||
|
uninitialized read_buffer if hif diag read fails.
|
||
|
|
||
|
Do not copy buffer to user space if diag read fails to
|
||
|
avoid information leak to user space.
|
||
|
|
||
|
Change-Id: I5e07cad4f90e5e9b3c461268b8fa3635c3128b9f
|
||
|
CRs-Fixed: 1104731
|
||
|
Bug: 32074353
|
||
|
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
||
|
---
|
||
|
drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c | 11 +++++------
|
||
|
1 file changed, 5 insertions(+), 6 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c
|
||
|
index 7b653a1dd72c8..ed0cfd69d7228 100644
|
||
|
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c
|
||
|
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c
|
||
|
@@ -1,5 +1,5 @@
|
||
|
/*
|
||
|
- * Copyright (c) 2013 The Linux Foundation. All rights reserved.
|
||
|
+ * Copyright (c) 2013, 2016-2017 The Linux Foundation. All rights reserved.
|
||
|
*
|
||
|
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||
|
*
|
||
|
@@ -110,17 +110,16 @@ static ssize_t ath_procfs_diag_read(struct file *file, char __user *buf,
|
||
|
(A_UINT8 *)read_buffer, count);
|
||
|
}
|
||
|
|
||
|
+ if (rv)
|
||
|
+ return -EIO;
|
||
|
+
|
||
|
if(copy_to_user(buf, read_buffer, count)) {
|
||
|
vos_mem_free(read_buffer);
|
||
|
return -EFAULT;
|
||
|
} else
|
||
|
vos_mem_free(read_buffer);
|
||
|
|
||
|
- if (rv == 0) {
|
||
|
- return count;
|
||
|
- } else {
|
||
|
- return -EIO;
|
||
|
- }
|
||
|
+ return count;
|
||
|
}
|
||
|
|
||
|
static ssize_t ath_procfs_diag_write(struct file *file, const char __user *buf,
|