lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

disp: msm: dsi: fix out of bounds access errors

Browse Source 
This change fixes the invalid memory access. It allocates
enough memory so that out of bounds access is avoided.

Change-Id: I0749eac54cfa91891a4377b99fbd7f24dd3bd02a
Signed-off-by: Satya Rama Aditya Pinapala <psraditya30@codeaurora.org>
This commit is contained in:
Satya Rama Aditya Pinapala 2019-05-21 19:46:15 -07:00
parent 74f328561e
commit 684e070ab1
1 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
msm/dsi/dsi_display.c
View File

@ -29,6 +29,7 @@
#define MISR_BUFF_SIZE 256
#define ESD_MODE_STRING_MAX_LEN 256
#define ESD_TRIGGER_STRING_MAX_LEN 10
#define MAX_NAME_SIZE 64
@ -1249,6 +1250,7 @@ static ssize_t debugfs_esd_trigger_check(struct file *file,
char *buf;
int rc = 0;
u32 esd_trigger;
size_t len;
if (!display)
return -ENODEV;
@ -1266,16 +1268,17 @@ static ssize_t debugfs_esd_trigger_check(struct file *file,
atomic_read(&display->panel->esd_recovery_pending))
return user_len;
buf = kzalloc(user_len, GFP_KERNEL);
buf = kzalloc(ESD_TRIGGER_STRING_MAX_LEN, GFP_KERNEL);
if (!buf)
return -ENOMEM;
if (copy_from_user(buf, user_buf, user_len)) {
len = min_t(size_t, user_len, ESD_TRIGGER_STRING_MAX_LEN - 1);
if (copy_from_user(buf, user_buf, len)) {
rc = -EINVAL;
goto error;
}
buf[user_len] = '\0'; /* terminate the string */
buf[len] = '\0'; /* terminate the string */
if (kstrtouint(buf, 10, &esd_trigger)) {
rc = -EINVAL;
@ -1298,7 +1301,7 @@ static ssize_t debugfs_esd_trigger_check(struct file *file,
}
}
rc = user_len;
rc = len;
error:
kfree(buf);
return rc;
@ -1313,7 +1316,7 @@ static ssize_t debugfs_alter_esd_check_mode(struct file *file,
struct drm_panel_esd_config *esd_config;
char *buf;
int rc = 0;
size_t len = min_t(size_t, user_len, ESD_MODE_STRING_MAX_LEN);
size_t len;
if (!display)
return -ENODEV;
@ -1321,10 +1324,11 @@ static ssize_t debugfs_alter_esd_check_mode(struct file *file,
if (*ppos)
return 0;
buf = kzalloc(len, GFP_KERNEL);
buf = kzalloc(ESD_MODE_STRING_MAX_LEN, GFP_KERNEL);
if (ZERO_OR_NULL_PTR(buf))
return -ENOMEM;
len = min_t(size_t, user_len, ESD_MODE_STRING_MAX_LEN - 1);
if (copy_from_user(buf, user_buf, len)) {
rc = -EINVAL;
goto error;
@ -1387,7 +1391,7 @@ static ssize_t debugfs_read_esd_check_mode(struct file *file,
struct drm_panel_esd_config *esd_config;
char *buf;
int rc = 0;
size_t len = min_t(size_t, user_len, ESD_MODE_STRING_MAX_LEN);
size_t len;
if (!display)
return -ENODEV;
@ -1400,7 +1404,7 @@ static ssize_t debugfs_read_esd_check_mode(struct file *file,
return -EINVAL;
}
buf = kzalloc(len, GFP_KERNEL);
buf = kzalloc(ESD_MODE_STRING_MAX_LEN, GFP_KERNEL);
if (ZERO_OR_NULL_PTR(buf))
return -ENOMEM;
@ -1411,6 +1415,7 @@ static ssize_t debugfs_read_esd_check_mode(struct file *file,
goto error;
}
len = min_t(size_t, user_len, ESD_MODE_STRING_MAX_LEN - 1);
if (!esd_config->esd_enabled) {
rc = snprintf(buf, len, "ESD feature not enabled");
goto output_mode;