mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
50 lines
1.6 KiB
Diff
50 lines
1.6 KiB
Diff
From 3ce6c47d2142fcd2c4c1181afe08630aaae5a267 Mon Sep 17 00:00:00 2001
|
|
From: Harsh Sahu <hsahu@codeaurora.org>
|
|
Date: Thu, 16 Feb 2017 19:52:02 -0800
|
|
Subject: msm : mdss: Avoid arbitrary free of scale_data in error condition
|
|
|
|
In mdss_fb_copy_destscaler_data function when the code enters error
|
|
section it may free up some arbitrary kernel address. This may
|
|
generate security vulnerability. Hence fixed the loop condition in
|
|
err: to real count of allocated buffer to avoid this arbitrary free.
|
|
|
|
Change-Id: I4014a3bf9cb0f5da994fa5c0233b7940009be0cd
|
|
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
|
|
---
|
|
drivers/video/fbdev/msm/mdss_fb.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/video/fbdev/msm/mdss_fb.c b/drivers/video/fbdev/msm/mdss_fb.c
|
|
index a183fd7..5eab4a5 100644
|
|
--- a/drivers/video/fbdev/msm/mdss_fb.c
|
|
+++ b/drivers/video/fbdev/msm/mdss_fb.c
|
|
@@ -4471,7 +4471,7 @@ err:
|
|
static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
|
|
struct mdp_layer_commit *commit)
|
|
{
|
|
- int i;
|
|
+ int i = 0;
|
|
int ret = 0;
|
|
u32 data_size;
|
|
struct mdp_destination_scaler_data __user *ds_data_user;
|
|
@@ -4544,6 +4544,7 @@ static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
|
|
data_size);
|
|
if (ret) {
|
|
pr_err("scale data copy from user failed\n");
|
|
+ kfree(scale_data);
|
|
goto err;
|
|
}
|
|
}
|
|
@@ -4553,7 +4554,7 @@ static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
|
|
|
|
err:
|
|
if (ds_data) {
|
|
- for (i = 0; i < commit->commit_v1.dest_scaler_cnt; i++) {
|
|
+ for (i--; i >= 0; i--) {
|
|
scale_data = to_user_ptr(ds_data[i].scale);
|
|
kfree(scale_data);
|
|
}
|
|
--
|
|
cgit v1.1
|
|
|