Commit bb46c918 authored Jul 07, 2017 by Ashish Garg

msm: mdss: information leak during buffer copy from userspace



While trying to write dsi commands from userspace, the user buffer
is copied using simple_write_to_buffer. If the number of bytes in
the user buffer is less than the destination buffer, the length was
set to the destination buffer length. Subsequently the buffer could
be read from userspace to dump a lot of uninitialized kernel heap
data. Update the destination buffer with the correct size of bytes
copied from the user buffer.

Change-Id: Ib28f3698655d25ad8103fc02199a1d214092e232
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>

parent 998e5be1

drivers/video/msm/mdss/mdss_dsi.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -894,10 +894,15 @@ static ssize_t mdss_dsi_cmd_write(struct file file, const char __user p,

		/* Writing in batches is possible */
		ret = simple_write_to_buffer(string_buf, blen, ppos, p, count);
		if (ret < 0) {
		pr_err("%s: Failed to copy data\n", __func__);
		mutex_unlock(&pcmds->dbg_mutex);
		return -EINVAL;
		}

		string_buf[blen] = '\0';
		string_buf[ret] = '\0';
		pcmds->string_buf = string_buf;
		pcmds->sblen = blen;
		pcmds->sblen = count;
		mutex_unlock(&pcmds->dbg_mutex);
		return ret;
		}