DivestOS/Patches/Linux_CVEs/CVE-2016-3858/ANY/0001.patch

From cab2ba71f13f04aa73c8b8dadc3fc184205c9474 Mon Sep 17 00:00:00 2001
From: Srinivasarao P <spathi@codeaurora.org>
Date: Mon, 6 Jun 2016 12:33:50 +0530
Subject: qcom: ssr: Fix possible overflow when copying firmware name

Array overflow can occur in firmware_name_store(), if the variable
buf contains the string larger than size of subsys->desc->fw_name

Change-Id: Ice39d7a1eb0b5f53125cc5d528021a99b9f7ff90
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
---
 drivers/soc/qcom/subsystem_restart.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/soc/qcom/subsystem_restart.c b/drivers/soc/qcom/subsystem_restart.c
index de3a5a4..c6dbf2e 100644
--- a/drivers/soc/qcom/subsystem_restart.c
+++ b/drivers/soc/qcom/subsystem_restart.c
@@ -293,7 +293,8 @@ static ssize_t firmware_name_store(struct device *dev,
 
 	pr_info("Changing subsys fw_name to %s\n", buf);
 	mutex_lock(&track->lock);
-	strlcpy(subsys->desc->fw_name, buf, count + 1);
+	strlcpy(subsys->desc->fw_name, buf,
+			 min(count + 1, sizeof(subsys->desc->fw_name)));
 	mutex_unlock(&track->lock);
 	return count;
 }
-- 
cgit v1.1