mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
36 lines
1.3 KiB
Diff
36 lines
1.3 KiB
Diff
From 7a4d0eea0ca0c8a72111ae58d9829be817f102c9 Mon Sep 17 00:00:00 2001
|
|
From: Ashish Garg <ashigarg@codeaurora.org>
|
|
Date: Fri, 9 Jun 2017 16:21:20 +0530
|
|
Subject: msm: mdss: validate number of cea blocks before reading from edid_buf
|
|
|
|
Number of cea blocks are read from edid buffer which comes from the
|
|
user. If the number of cea blocks are more than the supported blocks
|
|
kernel information leak is possible by reading more data than is
|
|
present in edid_buf.
|
|
|
|
Change-Id: I03b8456ff1e1a7b15d711f06908bd5c83f83cc02
|
|
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
|
|
---
|
|
drivers/video/fbdev/msm/mdss_hdmi_tx.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/drivers/video/fbdev/msm/mdss_hdmi_tx.c b/drivers/video/fbdev/msm/mdss_hdmi_tx.c
|
|
index 4975aa2..9f897b4 100644
|
|
--- a/drivers/video/fbdev/msm/mdss_hdmi_tx.c
|
|
+++ b/drivers/video/fbdev/msm/mdss_hdmi_tx.c
|
|
@@ -632,6 +632,11 @@ static ssize_t hdmi_tx_sysfs_rda_edid(struct device *dev,
|
|
|
|
mutex_lock(&hdmi_ctrl->tx_lock);
|
|
cea_blks = hdmi_ctrl->edid_buf[EDID_BLOCK_SIZE - 2];
|
|
+ if (cea_blks >= MAX_EDID_BLOCKS) {
|
|
+ DEV_ERR("%s: invalid cea blocks\n", __func__);
|
|
+ mutex_unlock(&hdmi_ctrl->tx_lock);
|
|
+ return -EINVAL;
|
|
+ }
|
|
size = (cea_blks + 1) * EDID_BLOCK_SIZE;
|
|
size = min_t(u32, size, PAGE_SIZE);
|
|
|
|
--
|
|
cgit v1.1
|
|
|