Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 53649cee authored by Jordan Crouse's avatar Jordan Crouse
Browse files

msm: kgsl: Return NULL when done parsing the profiler assignments string 



The assignment string parser has a corner condition wherein the user
can craft a malicious string that contains a \0 and force a buffer
overrun.  Avoid this by always returning NULL when the parser encounters
a \0.

CRs-fixed: 547601
Change-Id: Ic0dedbad946e597a5a245df41239b89f114ba9ee
Signed-off-by: default avatarJordan Crouse <jcrouse@codeaurora.org>
parent 5a515341

drivers/gpu/msm/adreno_profile.c

+11 −4
Original line number Diff line number Diff line
@@ -597,7 +597,7 @@ static void _add_assignment(struct adreno_device *adreno_dev, 
static char *_parse_next_assignment(struct adreno_device *adreno_dev,

		char *str, int *groupid, int *countable, bool *remove)

{

	char *groupid_str, *countable_str;

	char *groupid_str, *countable_str, *next_str = NULL;

	int ret;



	*groupid = -EINVAL;
@@ -635,8 +635,15 @@ static char *_parse_next_assignment(struct adreno_device *adreno_dev, 
	if (countable_str == str)

		return NULL;



	/*

	 * If we have reached the end of the original string then make sure we

	 * return NULL from this function or we could accidently overrun

	 */



	if (*str != '\0') {

		*str = '\0';

	str++;

		next_str = str + 1;

	}



	/* set results */

	*groupid = adreno_perfcounter_get_groupid(adreno_dev,
@@ -647,7 +654,7 @@ static char *_parse_next_assignment(struct adreno_device *adreno_dev, 
	if (ret)

		return NULL;



	return str;

	return next_str;

}



static ssize_t profile_assignments_write(struct file *filep,