Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 36503d63 authored by Sreelakshmi Gownipalli's avatar Sreelakshmi Gownipalli
Browse files

diag: Fix for diag debugfs buffer overflow 



Diag debugfs buffer has potential buffer overflow scenario which can cause
memory corruption. Added safeguard to prevent this.

Crs-fixed: 585147
Change-Id: Ie1f099bb4bb626adff99ae225966aef70c1bc15e
Signed-off-by: default avatarSreelakshmi Gownipalli <sgownipa@codeaurora.org>
parent 75bb475d

drivers/char/diag/diag_debugfs.c

+28 −16
Original line number Diff line number Diff line 
/* Copyright (c) 2011-2013, The Linux Foundation. All rights reserved.

/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -33,14 +33,14 @@ static ssize_t diag_dbgfs_read_status(struct file *file, char __user *ubuf, 
{

	char *buf;

	int ret;



	unsigned int buf_size;

	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);

	if (!buf) {

		pr_err("diag: %s, Error allocating memory\n", __func__);

		return -ENOMEM;

	}



	ret = scnprintf(buf, DEBUG_BUF_SIZE,

	buf_size = ksize(buf);

	ret = scnprintf(buf, buf_size,

		"modem ch: 0x%p\n"

		"lpass ch: 0x%p\n"

		"riva ch: 0x%p\n"
@@ -183,7 +183,7 @@ static ssize_t diag_dbgfs_read_status(struct file *file, char __user *ubuf, 
		driver->real_time_mode);



#ifdef CONFIG_DIAG_OVER_USB

	ret += scnprintf(buf+ret, DEBUG_BUF_SIZE,

	ret += scnprintf(buf+ret, buf_size-ret,

		"usb_connected: %d\n",

		driver->usb_connected);

#endif
@@ -200,7 +200,8 @@ static ssize_t diag_dbgfs_read_dcistats(struct file *file, 
	unsigned int bytes_remaining, bytes_written = 0;

	unsigned int bytes_in_buf = 0, i = 0;

	struct diag_dci_data_info *temp_data = dci_data_smd;

	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;

	unsigned int buf_size;

	buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;



	if (diag_dbgfs_dci_finished) {

		diag_dbgfs_dci_finished = 0;
@@ -213,6 +214,7 @@ static ssize_t diag_dbgfs_read_dcistats(struct file *file, 
		return -ENOMEM;

	}



	buf_size = ksize(buf);

	bytes_remaining = buf_size;



	if (diag_dbgfs_dci_data_index == 0) {
@@ -281,6 +283,7 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file, 
{

	char *buf;

	int ret;

	unsigned int buf_size;



	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);

	if (!buf) {
@@ -288,7 +291,8 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file, 
		return -ENOMEM;

	}



	ret = scnprintf(buf, DEBUG_BUF_SIZE,

	buf_size = ksize(buf);

	ret = scnprintf(buf, buf_size,

		"Pending status for work_stucts:\n"

		"diag_drain_work: %d\n"

		"Modem data diag_read_smd_work: %d\n"
@@ -336,7 +340,7 @@ static ssize_t diag_dbgfs_read_workpending(struct file *file, 
						diag_notify_update_smd_work)));



#ifdef CONFIG_DIAG_OVER_USB

	ret += scnprintf(buf+ret, DEBUG_BUF_SIZE,

	ret += scnprintf(buf+ret, buf_size-ret,

		"diag_proc_hdlc_work: %d\n"

		"diag_read_work: %d\n",

		work_pending(&(driver->diag_proc_hdlc_work)),
@@ -357,7 +361,8 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf, 
	unsigned int bytes_remaining;

	unsigned int bytes_in_buffer = 0;

	unsigned int bytes_written;

	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;

	unsigned int buf_size;

	buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;



	if (diag_dbgfs_table_index >= diag_max_reg) {

		/* Done. Reset to prepare for future requests */
@@ -370,7 +375,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf, 
		pr_err("diag: %s, Error allocating memory\n", __func__);

		return -ENOMEM;

	}



	buf_size = ksize(buf);

	bytes_remaining = buf_size;



	if (diag_dbgfs_table_index == 0) {
@@ -379,6 +384,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf, 
			"WCNSS: %d, APPS: %d\n",

			MODEM_DATA, LPASS_DATA, WCNSS_DATA, APPS_DATA);

		bytes_in_buffer += bytes_written;

		bytes_remaining -= bytes_written;

	}



	for (i = diag_dbgfs_table_index; i < diag_max_reg; i++) {
@@ -422,14 +428,15 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf, 
{

	char *buf = NULL;

	int ret = 0, i = 0;



	unsigned int buf_size;

	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);

	if (ZERO_OR_NULL_PTR(buf)) {

		pr_err("diag: %s, Error allocating memory\n", __func__);

		return -ENOMEM;

	}

	buf_size = ksize(buf);



	ret = scnprintf(buf, DEBUG_BUF_SIZE,

	ret = scnprintf(buf, buf_size,

		"POOL_TYPE_COPY: [0x%p : 0x%p] count = %d\n"

		"POOL_TYPE_HDLC: [0x%p : 0x%p] count = %d\n"

		"POOL_TYPE_USER: [0x%p : 0x%p] count = %d\n"
@@ -454,7 +461,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf, 
	for (i = 0; i < MAX_HSIC_CH; i++) {

		if (!diag_hsic[i].hsic_inited)

			continue;

		ret += scnprintf(buf+ret, DEBUG_BUF_SIZE-ret,

		ret += scnprintf(buf+ret, buf_size-ret,

				"POOL_TYPE_HSIC_%d: [0x%p : 0x%p] count = %d\n",

				i+1,

				diag_hsic[i].diag_hsic_pool,
@@ -465,7 +472,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf, 
	for (i = 0; i < MAX_HSIC_CH; i++) {

		if (!diag_hsic[i].hsic_inited)

			continue;

		ret += scnprintf(buf+ret, DEBUG_BUF_SIZE-ret,

		ret += scnprintf(buf+ret, buf_size-ret,

				"POOL_TYPE_HSIC_%d_WRITE: [0x%p : 0x%p] count = %d\n",

				i+1,

				diag_hsic[i].diag_hsic_write_pool,
@@ -484,6 +491,7 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf, 
{

	char *buf = NULL;

	int ret = 0;

	unsigned int buf_size;



	buf = kzalloc(sizeof(char) * DEBUG_BUF_SIZE, GFP_KERNEL);

	if (ZERO_OR_NULL_PTR(buf)) {
@@ -491,7 +499,8 @@ static ssize_t diag_dbgfs_read_mempool(struct file *file, char __user *ubuf, 
		return -ENOMEM;

	}



	ret = scnprintf(buf, DEBUG_BUF_SIZE,

	buf_size = ksize(buf);

	ret = scnprintf(buf, buf_size,

		"POOL_TYPE_COPY: [0x%p : 0x%p] count = %d\n"

		"POOL_TYPE_HDLC: [0x%p : 0x%p] count = %d\n"

		"POOL_TYPE_USER: [0x%p : 0x%p] count = %d\n"
@@ -530,10 +539,12 @@ static ssize_t diag_dbgfs_read_bridge(struct file *file, char __user *ubuf, 
	unsigned int bytes_remaining;

	unsigned int bytes_in_buffer = 0;

	unsigned int bytes_written;

	int buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;

	unsigned int buf_size;

	int bytes_hsic_inited = 45;

	int bytes_hsic_not_inited = 410;



	buf_size = (DEBUG_BUF_SIZE < count) ? DEBUG_BUF_SIZE : count;



	if (diag_dbgfs_finished) {

		diag_dbgfs_finished = 0;

		return 0;
@@ -545,6 +556,7 @@ static ssize_t diag_dbgfs_read_bridge(struct file *file, char __user *ubuf, 
		return -ENOMEM;

	}



	buf_size = ksize(buf);

	bytes_remaining = buf_size;



	/* Only one smux for now */