power: qpnp-fg: fix out-of-bound array access (e55268f0) · Commits · e / devices / android_kernel_xiaomi_markw

Bucket based cycle counter implementation allows user-space to set the bucket-id and read counter associated with the bucket. There is a possibility of setting bucket-id beyond maximum bucket count resulting in out of bound array access. Fix this by adding check to reject bucket-id if it is greater than maximum bucket size. CRs-Fixed: 847140 Change-Id: I9c0e9a7687fa3e765fe15a98176177d12a92b33d Signed-off-by:

Ashay Jaiswal <ashayj@codeaurora.org>

drivers/power/qpnp-fg.c

+10 −1

Original line number	Diff line number	Diff line
		@@ -2242,6 +2242,9 @@ static int fg_get_cycle_count(struct fg_chip *chip)
		if (!chip->cyc_ctr.en)
		return 0;

		if ((chip->cyc_ctr.id <= 0) \|\| (chip->cyc_ctr.id > BUCKET_COUNT))
		return -EINVAL;

		mutex_lock(&chip->cyc_ctr.lock);
		count = chip->cyc_ctr.count[chip->cyc_ctr.id - 1];
		mutex_unlock(&chip->cyc_ctr.lock);
		@@ -3081,7 +3084,13 @@ static int fg_power_set_property(struct power_supply *psy,
		}
		break;
		case POWER_SUPPLY_PROP_CYCLE_COUNT_ID:
		if ((val->intval > 0) && (val->intval <= BUCKET_COUNT)) {
		chip->cyc_ctr.id = val->intval;
		} else {
		pr_err("rejecting invalid cycle_count_id = %d\n",
		val->intval);
		rc = -EINVAL;
		}
		break;
		default:
		return -EINVAL;