Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dface2ac authored by Amine Najahi's avatar Amine Najahi Committed by Gerrit - the friendly Code Review server
Browse files

fbdev/msm: sanitize debugfs inputs when reading mdp memory 



Sanitize debugfs inputs to only allow access to mdp memory block
specified in dtsi file. This change will allow only one single block
to be read at the time and will avoid accessing memory outside of valid
decode space which can trigger AHB error bus response.

Change-Id: Icede9a8939a66faa59d674c18183fb0ebcf67908
Signed-off-by: default avatarAmine Najahi <anajahi@codeaurora.org>
Signed-off-by: default avatarAbhijith Desai <desaia@codeaurora.org>
parent 4164fb8e

drivers/video/fbdev/msm/mdss_debug.c

+39 −0
Original line number Diff line number Diff line
@@ -420,6 +420,39 @@ static int mdss_debug_base_release(struct inode *inode, struct file *file) 
	return 0;

}



/**

 * mdss_debug_base_is_valid_range - verify if requested memory range is valid

 * @off: address offset in bytes

 * @cnt: memory size in bytes

 * Return: true if valid; false otherwise

 */

static bool mdss_debug_base_is_valid_range(u32 off, u32 cnt)

{

	struct mdss_data_type *mdata = mdss_mdp_get_mdata();

	struct mdss_debug_data *mdd = mdata->debug_inf.debug_data;

	struct range_dump_node *node;

	struct mdss_debug_base *base;



	pr_debug("check offset=0x%x cnt=0x%x\n", off, cnt);



	list_for_each_entry(base, &mdd->base_list, head) {

		list_for_each_entry(node, &base->dump_list, head) {

			pr_debug("%s: start=0x%x end=0x%x\n", node->range_name,

					node->offset.start, node->offset.end);



			if (node->offset.start <= off

					&& off <= node->offset.end

					&& off + cnt <= node->offset.end) {

				pr_debug("valid range requested\n");

				return true;

			}

		}

	}



	pr_err("invalid range requested\n");

	return false;

}



static ssize_t mdss_debug_base_offset_write(struct file *file,

		    const char __user *user_buf, size_t count, loff_t *ppos)

{
@@ -439,6 +472,9 @@ static ssize_t mdss_debug_base_offset_write(struct file *file, 


	buf[count] = 0;	/* end of string */



	if (sscanf(buf, "%5x %x", &off, &cnt) != 2)

		return -EFAULT;



	if (off % sizeof(u32))

		return -EINVAL;
@@ -451,6 +487,9 @@ static ssize_t mdss_debug_base_offset_write(struct file *file, 
	if (cnt > (dbg->max_offset - off))

		cnt = dbg->max_offset - off;



	if (!mdss_debug_base_is_valid_range(off, cnt))

		return -EINVAL;



	mutex_lock(&mdss_debug_lock);

	dbg->off = off;

	dbg->cnt = cnt;