DivestOS/Patches/Linux_CVEs/CVE-2017-7372/ANY/0001.patch

From 1806be003731d6d4be55e5b940d14ab772839e13 Mon Sep 17 00:00:00 2001
From: Rahul Sharma <sharah@codeaurora.org>
Date: Thu, 19 Jan 2017 17:01:57 +0530
Subject: msm: ba: Fix race conditions in debug writes

Use dynamic allocation for debug buffer instead of static.
This is to avoid race condition which can cause buffer overflows.

Change-Id: I1b4eecb4280843064712ee3b7b52e23f55ab53c3
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
---
 drivers/video/msm/ba/msm_ba_debug.c | 58 +++++++++++++++++++++++++------------
 1 file changed, 39 insertions(+), 19 deletions(-)

diff --git a/drivers/video/msm/ba/msm_ba_debug.c b/drivers/video/msm/ba/msm_ba_debug.c
index a39a0d3..d41d1ab 100644
--- a/drivers/video/msm/ba/msm_ba_debug.c
+++ b/drivers/video/msm/ba/msm_ba_debug.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2015,2017 The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -13,7 +13,7 @@
 
 #include "msm_ba_debug.h"
 
-#define MAX_DBG_BUF_SIZE 4096
+#define MAX_DBG_BUF_SIZE 1008
 
 int msm_ba_debug = BA_ERR | BA_WARN;
 int msm_ba_debug_out = BA_OUT_PRINTK;
@@ -24,11 +24,9 @@ struct debug_buffer {
 	u32 filled_size;
 };
 
-static struct debug_buffer dbg_buf;
-
 #define INIT_DBG_BUF(__buf) ({ \
-	__buf.curr = __buf.ptr;\
-	__buf.filled_size = 0; \
+	__buf->curr = __buf->ptr;\
+	__buf->filled_size = 0; \
 })
 
 static int dev_info_open(struct inode *inode, struct file *file)
@@ -58,19 +56,30 @@ static ssize_t dev_info_read(struct file *file, char __user *buf,
 		size_t count, loff_t *ppos)
 {
 	struct msm_ba_dev *dev_ctxt = file->private_data;
+	struct debug_buffer *dbg_buf = NULL;
+	ssize_t size = 0;
 
 	if (!dev_ctxt) {
 		dprintk(BA_ERR, "Invalid params, dev: 0x%p", dev_ctxt);
 		return 0;
 	}
+
+	dbg_buf = kmalloc(sizeof(struct debug_buffer), GFP_KERNEL);
+	if (NULL == dbg_buf)
+		return 0;
+
 	INIT_DBG_BUF(dbg_buf);
-	write_str(&dbg_buf, "===============================");
-	write_str(&dbg_buf, "DEV: 0x%p", dev_ctxt);
-	write_str(&dbg_buf, "===============================");
-	write_str(&dbg_buf, "state: %d", dev_ctxt->state);
+	write_str(dbg_buf, "===============================");
+	write_str(dbg_buf, "DEV: 0x%p", dev_ctxt);
+	write_str(dbg_buf, "===============================");
+	write_str(dbg_buf, "state: %d", dev_ctxt->state);
 
-	return simple_read_from_buffer(buf, count, ppos,
-			dbg_buf.ptr, dbg_buf.filled_size);
+	size = simple_read_from_buffer(buf, count, ppos,
+			dbg_buf->ptr, dbg_buf->filled_size);
+
+	kfree(dbg_buf);
+
+	return size;
 }
 
 static const struct file_operations dev_info_fops = {
@@ -155,21 +164,32 @@ static ssize_t inst_info_read(struct file *file, char __user *buf,
 		size_t count, loff_t *ppos)
 {
 	struct msm_ba_inst *inst = file->private_data;
+	struct debug_buffer *dbg_buf = NULL;
+	ssize_t size = 0;
 
 	if (!inst) {
 		dprintk(BA_ERR, "Invalid params, dev: %p", inst);
 		return 0;
 	}
+
+	dbg_buf = kmalloc(sizeof(struct debug_buffer), GFP_KERNEL);
+	if (NULL == dbg_buf)
+		return 0;
+
 	INIT_DBG_BUF(dbg_buf);
-	write_str(&dbg_buf, "===============================");
-	write_str(&dbg_buf, "INSTANCE: %p (%s)", inst,
+	write_str(dbg_buf, "===============================");
+	write_str(dbg_buf, "INSTANCE: %p (%s)", inst,
 								"BA device");
-	write_str(&dbg_buf, "===============================");
-	write_str(&dbg_buf, "dev: %p", inst->dev_ctxt);
-	write_str(&dbg_buf, "state: %d", inst->state);
+	write_str(dbg_buf, "===============================");
+	write_str(dbg_buf, "dev: %p", inst->dev_ctxt);
+	write_str(dbg_buf, "state: %d", inst->state);
 
-	return simple_read_from_buffer(buf, count, ppos,
-		dbg_buf.ptr, dbg_buf.filled_size);
+	size = simple_read_from_buffer(buf, count, ppos,
+		dbg_buf->ptr, dbg_buf->filled_size);
+
+	kfree(dbg_buf);
+
+	return size;
 }
 
 static const struct file_operations inst_info_fops = {
-- 
cgit v1.1