DivestOS/Patches/Linux_CVEs/CVE-2017-7364/ANY/0001.patch

50 lines
1.6 KiB
Diff
Raw Normal View History

From 3ce6c47d2142fcd2c4c1181afe08630aaae5a267 Mon Sep 17 00:00:00 2001
From: Harsh Sahu <hsahu@codeaurora.org>
Date: Thu, 16 Feb 2017 19:52:02 -0800
Subject: msm : mdss: Avoid arbitrary free of scale_data in error condition
In mdss_fb_copy_destscaler_data function when the code enters error
section it may free up some arbitrary kernel address. This may
generate security vulnerability. Hence fixed the loop condition in
err: to real count of allocated buffer to avoid this arbitrary free.
Change-Id: I4014a3bf9cb0f5da994fa5c0233b7940009be0cd
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
---
drivers/video/fbdev/msm/mdss_fb.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/video/fbdev/msm/mdss_fb.c b/drivers/video/fbdev/msm/mdss_fb.c
index a183fd7..5eab4a5 100644
--- a/drivers/video/fbdev/msm/mdss_fb.c
+++ b/drivers/video/fbdev/msm/mdss_fb.c
@@ -4471,7 +4471,7 @@ err:
static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
struct mdp_layer_commit *commit)
{
- int i;
+ int i = 0;
int ret = 0;
u32 data_size;
struct mdp_destination_scaler_data __user *ds_data_user;
@@ -4544,6 +4544,7 @@ static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
data_size);
if (ret) {
pr_err("scale data copy from user failed\n");
+ kfree(scale_data);
goto err;
}
}
@@ -4553,7 +4554,7 @@ static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
err:
if (ds_data) {
- for (i = 0; i < commit->commit_v1.dest_scaler_cnt; i++) {
+ for (i--; i >= 0; i--) {
scale_data = to_user_ptr(ds_data[i].scale);
kfree(scale_data);
}
--
cgit v1.1