From 3ce6c47d2142fcd2c4c1181afe08630aaae5a267 Mon Sep 17 00:00:00 2001 From: Harsh Sahu Date: Thu, 16 Feb 2017 19:52:02 -0800 Subject: msm : mdss: Avoid arbitrary free of scale_data in error condition In mdss_fb_copy_destscaler_data function when the code enters error section it may free up some arbitrary kernel address. This may generate security vulnerability. Hence fixed the loop condition in err: to real count of allocated buffer to avoid this arbitrary free. Change-Id: I4014a3bf9cb0f5da994fa5c0233b7940009be0cd Signed-off-by: Harsh Sahu --- drivers/video/fbdev/msm/mdss_fb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/msm/mdss_fb.c b/drivers/video/fbdev/msm/mdss_fb.c index a183fd7..5eab4a5 100644 --- a/drivers/video/fbdev/msm/mdss_fb.c +++ b/drivers/video/fbdev/msm/mdss_fb.c @@ -4471,7 +4471,7 @@ err: static int __mdss_fb_copy_destscaler_data(struct fb_info *info, struct mdp_layer_commit *commit) { - int i; + int i = 0; int ret = 0; u32 data_size; struct mdp_destination_scaler_data __user *ds_data_user; @@ -4544,6 +4544,7 @@ static int __mdss_fb_copy_destscaler_data(struct fb_info *info, data_size); if (ret) { pr_err("scale data copy from user failed\n"); + kfree(scale_data); goto err; } } @@ -4553,7 +4554,7 @@ static int __mdss_fb_copy_destscaler_data(struct fb_info *info, err: if (ds_data) { - for (i = 0; i < commit->commit_v1.dest_scaler_cnt; i++) { + for (i--; i >= 0; i--) { scale_data = to_user_ptr(ds_data[i].scale); kfree(scale_data); } -- cgit v1.1