Commit accb48b3 authored May 25, 2017 by Ashish Garg Committed by Gerrit - the friendly Code Review server May 30, 2017

msm: mdss: validate number of cea blocks before reading from edid_buf



Number of cea blocks are read from edid buffer which comes from the
user. If the number of cea blocks are more than the supported blocks
kernel information leak is possible by reading more data than is
present in edid_buf.

Change-Id: I03b8456ff1e1a7b15d711f06908bd5c83f83cc02
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>

parent 293603c0

drivers/video/msm/mdss/mdss_hdmi_tx.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -595,6 +595,11 @@ static ssize_t hdmi_tx_sysfs_rda_edid(struct device *dev,

		mutex_lock(&hdmi_ctrl->tx_lock);
		cea_blks = hdmi_ctrl->edid_buf[EDID_BLOCK_SIZE - 2];
		if (cea_blks >= MAX_EDID_BLOCKS) {
		DEV_ERR("%s: invalid cea blocks\n", __func__);
		mutex_unlock(&hdmi_ctrl->tx_lock);
		return -EINVAL;
		}
		size = (cea_blks + 1) * EDID_BLOCK_SIZE;
		size = min_t(u32, size, PAGE_SIZE);