DivestOS/Patches/Linux_CVEs/CVE-2016-3904/ANY/0001.patch
2017-11-07 17:32:46 -05:00

40 lines
1.5 KiB
Diff

From 069683407ca9a820d05c914b57c587bcd3f16a3a Mon Sep 17 00:00:00 2001
From: David Dai <daidavid1@codeaurora.org>
Date: Fri, 5 Aug 2016 15:14:25 -0700
Subject: msm: msm_bus: limit max chars read by sscanf
Current bus_floor_vote_store_api does not limit/check
the size of the string in input, allowing stack overflow.
Specify the max number of characters read allowable to
the size of destination buffer.
CRs-Fixed: 1050455
Change-Id: Ia9227480be6ea4f3ade71f5675f95a3efd9fcf99
Signed-off-by: David Dai <daidavid1@codeaurora.org>
---
drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c b/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
index e4c8f1f..a876484 100644
--- a/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
+++ b/drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
*
* This program is Mree software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -133,7 +133,7 @@ static ssize_t bus_floor_vote_store_api(struct device *dev,
return 0;
}
- if (sscanf(buf, "%s %llu", name, &vote_khz) != 2) {
+ if (sscanf(buf, "%9s %llu", name, &vote_khz) != 2) {
pr_err("%s:return error", __func__);
return -EINVAL;
}
--
cgit v1.1