DivestOS/Patches/Linux_CVEs/CVE-2017-9678/4.4/0002.patch

From ad8e758d30164290a71d9c59fbf7854029556a3e Mon Sep 17 00:00:00 2001
From: Harsh Sahu <hsahu@codeaurora.org>
Date: Fri, 21 Apr 2017 16:12:22 -0700
Subject: msm: mdss: fix memcpy source and dest memory buffer size mismatch

Currently memcpy is copying from a bigger memory size to a smaller
memory size. This change corrects this issue by performing the
memcopy restricted to the smaller of the src or dest memory buffer.

CRs-fixed: 2028228
Change-Id: Ibbe5665083799a4262d3cfbb06f94f3e35e03748
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
---
 drivers/video/fbdev/msm/mdss_compat_utils.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/msm/mdss_compat_utils.c b/drivers/video/fbdev/msm/mdss_compat_utils.c
index e9ba775..ba3dec2 100644
--- a/drivers/video/fbdev/msm/mdss_compat_utils.c
+++ b/drivers/video/fbdev/msm/mdss_compat_utils.c
@@ -119,6 +119,9 @@ static unsigned int __do_compat_ioctl_nr(unsigned int cmd32)
 static void  __copy_atomic_commit_struct(struct mdp_layer_commit  *commit,
 	struct mdp_layer_commit32 *commit32)
 {
+	unsigned int destSize = sizeof(commit->commit_v1.reserved);
+	unsigned int srcSize = sizeof(commit32->commit_v1.reserved);
+	unsigned int count = (destSize <= srcSize ? destSize : srcSize);
 	commit->version = commit32->version;
 	commit->commit_v1.flags = commit32->commit_v1.flags;
 	commit->commit_v1.input_layer_cnt =
@@ -127,7 +130,7 @@ static void  __copy_atomic_commit_struct(struct mdp_layer_commit  *commit,
 	commit->commit_v1.right_roi = commit32->commit_v1.right_roi;
 	commit->commit_v1.bl_level = commit32->commit_v1.bl_level;
 	memcpy(&commit->commit_v1.reserved, &commit32->commit_v1.reserved,
-		sizeof(commit32->commit_v1.reserved));
+		count);
 }
 
 static struct mdp_input_layer32 *__create_layer_list32(
-- 
cgit v1.1