Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3cf94f42 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "fbdev: msm: Avoid UAF in mdss_dsi_cmd_write"

parents 40b293b5 6d32ceaf

drivers/video/fbdev/msm/mdss_dsi.c

+7 −2
Original line number Diff line number Diff line
@@ -978,7 +978,7 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, 
{

	struct buf_data *pcmds = file->private_data;

	ssize_t ret = 0;

	int blen = 0;

	unsigned int blen = 0;

	char *string_buf;



	mutex_lock(&pcmds->dbg_mutex);
@@ -990,6 +990,11 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, 


	/* Allocate memory for the received string */

	blen = count + (pcmds->sblen);

	if (blen > U32_MAX - 1) {

		mutex_unlock(&pcmds->dbg_mutex);

		return -EINVAL;

	}



	string_buf = krealloc(pcmds->string_buf, blen + 1, GFP_KERNEL);

	if (!string_buf) {

		pr_err("%s: Failed to allocate memory\n", __func__);
@@ -997,6 +1002,7 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, 
		return -ENOMEM;

	}



	pcmds->string_buf = string_buf;

	/* Writing in batches is possible */

	ret = simple_write_to_buffer(string_buf, blen, ppos, p, count);

	if (ret < 0) {
@@ -1006,7 +1012,6 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, 
	}



	string_buf[ret] = '\0';

	pcmds->string_buf = string_buf;

	pcmds->sblen = count;

	mutex_unlock(&pcmds->dbg_mutex);

	return ret;