Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 674a59bc authored by Subbaraman Narayanamurthy's avatar Subbaraman Narayanamurthy
Browse files

fg-util: fix a possible buffer overflow 



If the string passed is of a huge size, then bytes_read can be
higher and can overflow "pos" to a small value. This can cause
a potential buffer overflow when "pos" is used again in sscanf.
Fix this by validating bytes_read before it is used.

CRs-Fixed: 1077693
Change-Id: I59d4472b49b67f481992867a34e6779a4589d035
Signed-off-by: default avatarSubbaraman Narayanamurthy <subbaram@codeaurora.org>
parent e6574109

drivers/power/qcom-charger/fg-util.c

+11 −0
Original line number Diff line number Diff line
@@ -621,6 +621,17 @@ static ssize_t fg_sram_dfs_reg_write(struct file *file, const char __user *buf, 
	/* Parse the data in the buffer.  It should be a string of numbers */

	while ((pos < count) &&

		sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {

		/*

		 * We shouldn't be receiving a string of characters that

		 * exceeds a size of 5 to keep this functionally correct.

		 * Also, we should make sure that pos never gets overflowed

		 * beyond the limit.

		 */

		if (bytes_read > 5 || bytes_read > INT_MAX - pos) {

			cnt = 0;

			ret = -EINVAL;

			break;

		}

		pos += bytes_read;

		values[cnt++] = data & 0xff;

	}