DivestOS/Patches/Linux_CVEs/CVE-2016-3906/0.patch

144 lines
3.7 KiB
Diff

From 46d740d12c2a8bd9e0b27a968af6544682f7cb0e Mon Sep 17 00:00:00 2001
From: Archana Sathyakumar <asathyak@codeaurora.org>
Date: Mon, 22 Aug 2016 15:20:02 -0600
Subject: msm-core: debug: Update the number of supported pstates
Update the number of power-freq pair value supported in the debug
interface. Parse the arguments as uint32_t instead of uint64_t which
might cause memory corruption.
CRs-fixed: 1054344
Change-Id: I30492b79b96356177cdcc72e4e2ee656317de500
Signed-off-by: Archana Sathyakumar <asathyak@codeaurora.org>
---
drivers/power/qcom/debug_core.c | 51 +++++++++++++++++++++++++----------------
1 file changed, 31 insertions(+), 20 deletions(-)
diff --git a/drivers/power/qcom/debug_core.c b/drivers/power/qcom/debug_core.c
index e1375ff..f0333cb 100644
--- a/drivers/power/qcom/debug_core.c
+++ b/drivers/power/qcom/debug_core.c
@@ -83,15 +83,28 @@ static struct debugfs_blob_wrapper help_msg = {
};
-static void add_to_ptable(uint64_t *arg)
+static void add_to_ptable(unsigned int *arg)
{
struct core_debug *node;
int i, cpu = arg[CPU_OFFSET];
+ uint32_t freq = arg[FREQ_OFFSET];
+ uint32_t power = arg[POWER_OFFSET];
if (!cpu_possible(cpu))
return;
+ if ((freq == 0) || (power == 0)) {
+ pr_warn("Incorrect power data\n");
+ return;
+ }
+
node = &per_cpu(c_dgfs, cpu);
+
+ if (node->len >= MAX_PSTATES) {
+ pr_warn("Dropped ptable update - no space left.\n");
+ return;
+ }
+
if (!node->head) {
node->head = kzalloc(sizeof(struct cpu_pstate_pwr) *
(MAX_PSTATES + 1),
@@ -99,24 +112,18 @@ static void add_to_ptable(uint64_t *arg)
if (!node->head)
return;
}
- for (i = 0; i < MAX_PSTATES; i++) {
- if (node->head[i].freq == arg[FREQ_OFFSET]) {
- node->head[i].power = arg[POWER_OFFSET];
+
+ for (i = 0; i < node->len; i++) {
+ if (node->head[i].freq == freq) {
+ node->head[i].power = power;
return;
}
- if (node->head[i].freq == 0)
- break;
- }
-
- if (i == MAX_PSTATES) {
- pr_warn("Dropped ptable update - no space left.\n");
- return;
}
/* Insert a new frequency (may need to move things around to
keep in ascending order). */
for (i = MAX_PSTATES - 1; i > 0; i--) {
- if (node->head[i-1].freq > arg[FREQ_OFFSET]) {
+ if (node->head[i-1].freq > freq) {
node->head[i].freq = node->head[i-1].freq;
node->head[i].power = node->head[i-1].power;
} else if (node->head[i-1].freq != 0) {
@@ -124,15 +131,17 @@ static void add_to_ptable(uint64_t *arg)
}
}
- node->head[i].freq = arg[FREQ_OFFSET];
- node->head[i].power = arg[POWER_OFFSET];
- node->len++;
+ if (node->len < MAX_PSTATES) {
+ node->head[i].freq = freq;
+ node->head[i].power = power;
+ node->len++;
+ }
if (node->ptr)
node->ptr->len = node->len;
}
-static int split_ptable_args(char *line, uint64_t *arg, uint32_t n)
+static int split_ptable_args(char *line, unsigned int *arg, uint32_t n)
{
char *args;
int i;
@@ -142,7 +151,9 @@ static int split_ptable_args(char *line, uint64_t *arg, uint32_t n)
if (!line)
break;
args = strsep(&line, " ");
- ret = kstrtoull(args, 10, &arg[i]);
+ ret = kstrtouint(args, 10, &arg[i]);
+ if (ret)
+ return ret;
}
return ret;
}
@@ -152,7 +163,7 @@ static ssize_t msm_core_ptable_write(struct file *file,
{
char *kbuf;
int ret;
- uint64_t arg[3];
+ unsigned int arg[3];
if (len == 0)
return 0;
@@ -204,7 +215,7 @@ static int msm_core_ptable_read(struct seq_file *m, void *data)
seq_printf(m, "--- CPU%d - Live numbers at %ldC---\n",
cpu, node->ptr->temp);
print_table(m, msm_core_data[cpu].ptable,
- msm_core_data[cpu].len);
+ node->driver_len);
}
}
return 0;
@@ -215,7 +226,7 @@ static ssize_t msm_core_enable_write(struct file *file,
{
char *kbuf;
int ret;
- uint64_t arg[3];
+ unsigned int arg[3];
int cpu;
if (len == 0)
--
cgit v1.1