Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
21fdd3cec7
DivestOS/Patches/Linux_CVEs/CVE-2016-2465/3.18/0002.patch
Tad 11c7037780 Switch to new CVE patchset
2017-11-07 17:32:46 -05:00

179 lines
5.3 KiB
Diff
Raw Blame History

From 240f3bd82840fe6df7989339e465e9558f42fb85 Mon Sep 17 00:00:00 2001
From: Veera Sundaram Sankaran <veeras@codeaurora.org>
Date: Tue, 15 Mar 2016 18:42:27 -0700
Subject: msm: mdss: fix possible out-of-bounds and overflow issue in mdp
debugfs
There are few cases where the count argument passed by the user
space is not validated, which can potentially lead to out of bounds
or overflow issues. In some cases, kernel might copy more data than
what is requested. Add necessary checks to avoid such cases.
Change-Id: Ifa42fbd475665a0ca581c907ce5432584ea0e7ed
[veeras@codeaurora.org: Resolve conflicts in mdss_debug.c]
Signed-off-by: Veera Sundaram Sankaran <veeras@codeaurora.org>
---
drivers/video/msm/mdss/mdss_debug.c | 47 +++++++++++++++++++++++--------------
1 file changed, 29 insertions(+), 18 deletions(-)
diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
index e4749c5..09b0694 100644
--- a/drivers/video/msm/mdss/mdss_debug.c
+++ b/drivers/video/msm/mdss/mdss_debug.c
@@ -111,11 +111,11 @@ static ssize_t panel_debug_base_offset_read(struct file *file,
if (*ppos)
return 0; /* the end */
- len = snprintf(buf, sizeof(buf), "0x%02zx %zd\n", dbg->off, dbg->cnt);
- if (len < 0)
+ len = snprintf(buf, sizeof(buf), "0x%02zx %zx\n", dbg->off, dbg->cnt);
+ if (len < 0 || len >= sizeof(buf))
return 0;
- if (copy_to_user(buff, buf, len))
+ if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
return -EFAULT;
*ppos += len; /* increase offset */
@@ -244,7 +244,11 @@ static ssize_t panel_debug_base_reg_read(struct file *file,
if (mdata->debug_inf.debug_enable_clock)
mdata->debug_inf.debug_enable_clock(0);
- if (copy_to_user(user_buf, panel_reg_buf, len))
+ if (len < 0 || len >= sizeof(panel_reg_buf))
+ return 0;
+
+ if ((count < sizeof(panel_reg_buf))
+ || (copy_to_user(user_buf, panel_reg_buf, len)))
goto read_reg_fail;
kfree(rx_buf);
@@ -403,7 +407,7 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
{
struct mdss_debug_base *dbg = file->private_data;
int len = 0;
- char buf[24];
+ char buf[24] = {'\0'};
if (!dbg)
return -ENODEV;
@@ -412,10 +416,10 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
return 0; /* the end */
len = snprintf(buf, sizeof(buf), "0x%08zx %zx\n", dbg->off, dbg->cnt);
- if (len < 0)
+ if (len < 0 || len >= sizeof(buf))
return 0;
- if (copy_to_user(buff, buf, len))
+ if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
return -EFAULT;
*ppos += len; /* increase offset */
@@ -759,7 +763,7 @@ static ssize_t mdss_debug_factor_read(struct file *file,
{
struct mult_factor *factor = file->private_data;
int len = 0;
- char buf[32];
+ char buf[32] = {'\0'};
if (!factor)
return -ENODEV;
@@ -769,10 +773,10 @@ static ssize_t mdss_debug_factor_read(struct file *file,
len = snprintf(buf, sizeof(buf), "%d/%d\n",
factor->numer, factor->denom);
- if (len < 0)
+ if (len < 0 || len >= sizeof(buf))
return 0;
- if (copy_to_user(buff, buf, len))
+ if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
return -EFAULT;
*ppos += len; /* increase offset */
@@ -803,6 +807,8 @@ static ssize_t mdss_debug_perf_mode_write(struct file *file,
if (copy_from_user(buf, user_buf, count))
return -EFAULT;
+ buf[count] = 0; /* end of string */
+
if (sscanf(buf, "%d", &perf_mode) != 1)
return -EFAULT;
@@ -823,7 +829,7 @@ static ssize_t mdss_debug_perf_mode_read(struct file *file,
{
struct mdss_perf_tune *perf_tune = file->private_data;
int len = 0;
- char buf[40];
+ char buf[40] = {'\0'};
if (!perf_tune)
return -ENODEV;
@@ -833,10 +839,10 @@ static ssize_t mdss_debug_perf_mode_read(struct file *file,
len = snprintf(buf, sizeof(buf), "min_mdp_clk %lu min_bus_vote %llu\n",
perf_tune->min_mdp_clk, perf_tune->min_bus_vote);
- if (len < 0)
+ if (len < 0 || len >= sizeof(buf))
return 0;
- if (copy_to_user(buff, buf, len))
+ if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
return -EFAULT;
*ppos += len; /* increase offset */
@@ -856,7 +862,7 @@ static ssize_t mdss_debug_perf_panic_read(struct file *file,
{
struct mdss_data_type *mdata = file->private_data;
int len = 0;
- char buf[40];
+ char buf[40] = {'\0'};
if (!mdata)
return -ENODEV;
@@ -866,10 +872,10 @@ static ssize_t mdss_debug_perf_panic_read(struct file *file,
len = snprintf(buf, sizeof(buf), "%d\n",
!mdata->has_panic_ctrl);
- if (len < 0)
+ if (len < 0 || len >= sizeof(buf))
return 0;
- if (copy_to_user(buff, buf, len))
+ if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
return -EFAULT;
*ppos += len; /* increase offset */
@@ -932,9 +938,14 @@ static ssize_t mdss_debug_perf_panic_write(struct file *file,
if (!mdata)
return -EFAULT;
+ if (count >= sizeof(buf))
+ return -EFAULT;
+
if (copy_from_user(buf, user_buf, count))
return -EFAULT;
+ buf[count] = 0; /* end of string */
+
if (sscanf(buf, "%d", &disable_panic) != 1)
return -EFAULT;
@@ -1004,10 +1015,10 @@ static ssize_t mdss_debug_perf_bw_limit_read(struct file *file,
temp_settings++;
}
- if (len < 0)
+ if (len < 0 || len >= sizeof(buf))
return 0;
- if (copy_to_user(buff, buf, len))
+ if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
return -EFAULT;
*ppos += len; /* increase offset */
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink