DivestOS/Patches/Linux_CVEs/CVE-2017-9678/3.18/0001.patch
2017-11-07 17:32:46 -05:00

43 lines
1.8 KiB
Diff

From 420d0dc1b4563880f962002e8cb21e733bf074eb Mon Sep 17 00:00:00 2001
From: Harsh Sahu <hsahu@codeaurora.org>
Date: Fri, 21 Apr 2017 16:12:22 -0700
Subject: [PATCH] msm: mdss: fix memcpy source and dest memory buffer size
mismatch
Currently memcpy is copying from a bigger memory size to a smaller
memory size, which may lead to buffer overflow. This change corrects
this issue by performing the memcopy restricted to the smaller of the
src or dest memory buffer.
Bug: 35258962
Change-Id: Ibbe5665083799a4262d3cfbb06f94f3e35e03748
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
---
drivers/video/msm/mdss/mdss_compat_utils.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
index 7159d91148645..ec08626ba7765 100644
--- a/drivers/video/msm/mdss/mdss_compat_utils.c
+++ b/drivers/video/msm/mdss/mdss_compat_utils.c
@@ -119,14 +119,18 @@ static unsigned int __do_compat_ioctl_nr(unsigned int cmd32)
static void __copy_atomic_commit_struct(struct mdp_layer_commit *commit,
struct mdp_layer_commit32 *commit32)
{
+ unsigned int destSize = sizeof(commit->commit_v1.reserved);
+ unsigned int srcSize = sizeof(commit32->commit_v1.reserved);
+ unsigned int count = (destSize <= srcSize ? destSize : srcSize);
commit->version = commit32->version;
commit->commit_v1.flags = commit32->commit_v1.flags;
commit->commit_v1.input_layer_cnt =
commit32->commit_v1.input_layer_cnt;
commit->commit_v1.left_roi = commit32->commit_v1.left_roi;
commit->commit_v1.right_roi = commit32->commit_v1.right_roi;
+
memcpy(&commit->commit_v1.reserved, &commit32->commit_v1.reserved,
- sizeof(commit32->commit_v1.reserved));
+ count);
}
static struct mdp_input_layer32 *__create_layer_list32(