Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6b20920b authored by Nicholas Troast's avatar Nicholas Troast
Browse files

qcom-charger: qpnp-fg: fix oob array access and uninitialized return 



pos is incremented by bytes_read which could exceed the boundary of
kbuf. Fix this by checking the bounds of pos.

resched_ms is used when uninitialized. Initialize it.

Signed-off-by: default avatarNicholas Troast <ntroast@codeaurora.org>
Change-Id: I3a01d59bb5ed53666307a5210a684c7d9fd654fc
parent f0ea5d91

drivers/power/qcom-charger/qpnp-fg.c

+15 −3
Original line number Diff line number Diff line 
/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.

/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -2081,7 +2081,7 @@ static void update_sram_data_work(struct work_struct *work) 
	struct fg_chip *chip = container_of(work,

				struct fg_chip,

				update_sram_data.work);

	int resched_ms, ret;

	int resched_ms = SRAM_PERIOD_NO_ID_UPDATE_MS, ret;

	bool tried_again = false;



wait:
@@ -5961,7 +5961,19 @@ static ssize_t fg_memif_dfs_reg_write(struct file *file, const char __user *buf, 
	values = kbuf;



	/* Parse the data in the buffer.  It should be a string of numbers */

	while (sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {

	while ((pos < count) &&

		sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {

		/*

		 * We shouldn't be receiving a string of characters that

		 * exceeds a size of 5 to keep this functionally correct.

		 * Also, we should make sure that pos never gets overflowed

		 * beyond the limit.

		 */

		if (bytes_read > 5 || bytes_read > INT_MAX - pos) {

			cnt = 0;

			ret = -EINVAL;

			break;

		}

		pos += bytes_read;

		values[cnt++] = data & 0xff;

	}