Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 48ff6a8e authored by Ravi Kumar Siddojigari's avatar Ravi Kumar Siddojigari Committed by Shantanu Jain
Browse files

input: synaptics_dsx: allocate heap memory for temp buf 



There is a possible stack overflow vulnerability in the rmidev_write
function because the stack array size is from user space.
changes to allocate heap memory for the temporary buffer instead of
stack memory to prevent the stack overflow vulnerability.
As discussed under  CVE-2016-3865 and ANDROID-28799389.

Change-Id: I20f639e09aaf3c533c98a12a2413570feae3d6d0
Signed-off-by: default avatarRavi Kumar Siddojigari <rsiddoji@codeaurora.org>
Signed-off-by: default avatarShantanu Jain <shjain@codeaurora.org>
parent 0f4a079d

drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c

+15 −6
Original line number Diff line number Diff line
@@ -347,7 +347,7 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf, 
		size_t count, loff_t *f_pos)

{

	ssize_t retval;

	unsigned char tmpbuf[count + 1];

	unsigned char *tmpbuf;

	struct rmidev_data *dev_data = filp->private_data;



	if (IS_ERR(dev_data)) {
@@ -361,6 +361,10 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf, 
	if (count > (REG_ADDR_LIMIT - *f_pos))

		count = REG_ADDR_LIMIT - *f_pos;



	tmpbuf = kzalloc(count + 1, GFP_KERNEL);

	if (!tmpbuf)

		return -ENOMEM;



	mutex_lock(&(dev_data->file_mutex));



	retval = synaptics_rmi4_reg_read(rmidev->rmi4_data,
@@ -377,7 +381,7 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf, 


clean_up:

	mutex_unlock(&(dev_data->file_mutex));



	kfree(tmpbuf);

	return retval;

}
@@ -393,7 +397,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, 
		size_t count, loff_t *f_pos)

{

	ssize_t retval;

	unsigned char tmpbuf[count + 1];

	unsigned char *tmpbuf;

	struct rmidev_data *dev_data = filp->private_data;



	if (IS_ERR(dev_data)) {
@@ -407,9 +411,14 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, 
	if (count > (REG_ADDR_LIMIT - *f_pos))

		count = REG_ADDR_LIMIT - *f_pos;



	if (copy_from_user(tmpbuf, buf, count))

		return -EFAULT;

	tmpbuf = kzalloc(count + 1, GFP_KERNEL);

	if (!tmpbuf)

		return -ENOMEM;



	if (copy_from_user(tmpbuf, buf, count)) {

		kfree(tmpbuf);

		return -EFAULT;

	}

	mutex_lock(&(dev_data->file_mutex));



	retval = synaptics_rmi4_reg_write(rmidev->rmi4_data,
@@ -420,7 +429,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, 
		*f_pos += retval;



	mutex_unlock(&(dev_data->file_mutex));



	kfree(tmpbuf);

	return retval;

}

drivers/input/touchscreen/synaptics_rmi_dev.c

+15 −5
Original line number Diff line number Diff line
@@ -299,7 +299,7 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf, 
		size_t count, loff_t *f_pos)

{

	ssize_t retval;

	unsigned char tmpbuf[count + 1];

	unsigned char *tmpbuf;

	struct rmidev_data *dev_data = filp->private_data;



	if (IS_ERR(dev_data)) {
@@ -313,6 +313,10 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf, 
	if (count > (REG_ADDR_LIMIT - *f_pos))

		count = REG_ADDR_LIMIT - *f_pos;



	tmpbuf = kzalloc(count + 1, GFP_KERNEL);

	if (!tmpbuf)

		return -ENOMEM;



	mutex_lock(&(dev_data->file_mutex));



	retval = rmidev->fn_ptr->read(rmidev->rmi4_data,
@@ -329,7 +333,7 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf, 


clean_up:

	mutex_unlock(&(dev_data->file_mutex));



	kfree(tmpbuf);

	return retval;

}
@@ -345,7 +349,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, 
		size_t count, loff_t *f_pos)

{

	ssize_t retval;

	unsigned char tmpbuf[count + 1];

	unsigned char *tmpbuf;

	struct rmidev_data *dev_data = filp->private_data;



	if (IS_ERR(dev_data)) {
@@ -359,8 +363,14 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, 
	if (count > (REG_ADDR_LIMIT - *f_pos))

		count = REG_ADDR_LIMIT - *f_pos;



	if (copy_from_user(tmpbuf, buf, count))

	tmpbuf = kzalloc(count + 1, GFP_KERNEL);

	if (!tmpbuf)

		return -ENOMEM;



	if (copy_from_user(tmpbuf, buf, count)) {

		kfree(tmpbuf);

		return -EFAULT;

	}



	mutex_lock(&(dev_data->file_mutex));
@@ -372,7 +382,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, 
		*f_pos += retval;



	mutex_unlock(&(dev_data->file_mutex));



	free(tmpbuf);

	return retval;

}