DivestOS/Patches/Linux_CVEs/CVE-2017-9678/ANY/0.patch

From 420d0dc1b4563880f962002e8cb21e733bf074eb Mon Sep 17 00:00:00 2001
From: Harsh Sahu <hsahu@codeaurora.org>
Date: Fri, 21 Apr 2017 16:12:22 -0700
Subject: [PATCH] msm: mdss: fix memcpy source and dest memory buffer size
 mismatch

Currently memcpy is copying from a bigger memory size to a smaller
memory size, which may lead to buffer overflow. This change corrects
this issue by performing the memcopy restricted to the smaller of the
src or dest memory buffer.

Bug: 35258962
Change-Id: Ibbe5665083799a4262d3cfbb06f94f3e35e03748
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
---
 drivers/video/msm/mdss/mdss_compat_utils.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
index 7159d91148645..ec08626ba7765 100644
--- a/drivers/video/msm/mdss/mdss_compat_utils.c
+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
@@ -119,14 +119,18 @@ static unsigned int __do_compat_ioctl_nr(unsigned int cmd32)
 static void  __copy_atomic_commit_struct(struct mdp_layer_commit  *commit,
 	struct mdp_layer_commit32 *commit32)
 {
+	unsigned int destSize = sizeof(commit->commit_v1.reserved);
+	unsigned int srcSize = sizeof(commit32->commit_v1.reserved);
+	unsigned int count = (destSize <= srcSize ? destSize : srcSize);
 	commit->version = commit32->version;
 	commit->commit_v1.flags = commit32->commit_v1.flags;
 	commit->commit_v1.input_layer_cnt =
 		commit32->commit_v1.input_layer_cnt;
 	commit->commit_v1.left_roi = commit32->commit_v1.left_roi;
 	commit->commit_v1.right_roi = commit32->commit_v1.right_roi;
+
 	memcpy(&commit->commit_v1.reserved, &commit32->commit_v1.reserved,
-		sizeof(commit32->commit_v1.reserved));
+			count);
 }
 
 static struct mdp_input_layer32 *__create_layer_list32(