DivestOS/Patches/Linux_CVEs/CVE-2017-11040/ANY/0.patch
2017-10-29 22:14:37 -04:00

36 lines
1.3 KiB
Diff

From 7a4d0eea0ca0c8a72111ae58d9829be817f102c9 Mon Sep 17 00:00:00 2001
From: Ashish Garg <ashigarg@codeaurora.org>
Date: Fri, 9 Jun 2017 16:21:20 +0530
Subject: msm: mdss: validate number of cea blocks before reading from edid_buf
Number of cea blocks are read from edid buffer which comes from the
user. If the number of cea blocks are more than the supported blocks
kernel information leak is possible by reading more data than is
present in edid_buf.
Change-Id: I03b8456ff1e1a7b15d711f06908bd5c83f83cc02
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
---
drivers/video/fbdev/msm/mdss_hdmi_tx.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/video/fbdev/msm/mdss_hdmi_tx.c b/drivers/video/fbdev/msm/mdss_hdmi_tx.c
index 4975aa2..9f897b4 100644
--- a/drivers/video/fbdev/msm/mdss_hdmi_tx.c
+++ b/drivers/video/fbdev/msm/mdss_hdmi_tx.c
@@ -632,6 +632,11 @@ static ssize_t hdmi_tx_sysfs_rda_edid(struct device *dev,
mutex_lock(&hdmi_ctrl->tx_lock);
cea_blks = hdmi_ctrl->edid_buf[EDID_BLOCK_SIZE - 2];
+ if (cea_blks >= MAX_EDID_BLOCKS) {
+ DEV_ERR("%s: invalid cea blocks\n", __func__);
+ mutex_unlock(&hdmi_ctrl->tx_lock);
+ return -EINVAL;
+ }
size = (cea_blks + 1) * EDID_BLOCK_SIZE;
size = min_t(u32, size, PAGE_SIZE);
--
cgit v1.1