Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 41414e9f authored by Ashish Chavan's avatar Ashish Chavan
Browse files

power: qpnp-qg: Fix kernel memory corruption error in qg_device_read 



qg_device_read function does not validate the count. So, a call
made to this function with data_size greater than count may lead
to kernel memory corruption.

Change-Id: I8b62f94d81317569c04dceec4e9271a77a493d28
Signed-off-by: default avatarAshish Chavan <ashichav@codeaurora.org>
parent 67e27e60

drivers/power/supply/qcom/qpnp-qg.c

+6 −0
Original line number Diff line number Diff line
@@ -2253,6 +2253,12 @@ static ssize_t qg_device_read(struct file *file, char __user *buf, size_t count, 
	struct qpnp_qg *chip = file->private_data;

	unsigned long data_size = sizeof(chip->kdata);



	if (count < data_size) {

		pr_err("Invalid datasize %lu, expected lesser then %zu\n",

							data_size, count);

		return -EINVAL;

	}



	/* non-blocking access, return */

	if (!chip->data_ready && (file->f_flags & O_NONBLOCK))

		return 0;