Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ff9515b8 authored by raghavendra ambadas's avatar raghavendra ambadas Committed by Ritesh Kumar
Browse files

fbdev: msm: check the length of the external input buffer properly 



dchdr->dlen is a short variable controlled by the user-provided data.
If the value is negative, loop continues, also increasing the value
of "len". As a result buffer overflow occurs. So define the len as
unsigned and check with length of string input from user space.

Change-Id: I8bb9ab33d543c826eb330e16ae116385d823ca98
Signed-off-by: default avatarraghavendra ambadas <rambad@codeaurora.org>
Signed-off-by: default avatarRitesh Kumar <riteshk@codeaurora.org>
parent 12e2085e

drivers/video/fbdev/msm/mdss_dsi.c

+4 −3
Original line number Diff line number Diff line 
/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.

/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -905,7 +905,8 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, 
static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id)

{

	struct buf_data *pcmds = file->private_data;

	int blen, len, i;

	unsigned int len;

	int blen, i;

	char *buf, *bufp, *bp;

	struct dsi_ctrl_hdr *dchdr;
@@ -949,7 +950,7 @@ static int mdss_dsi_cmd_flush(struct file *file, fl_owner_t id) 
	while (len >= sizeof(*dchdr)) {

		dchdr = (struct dsi_ctrl_hdr *)bp;

		dchdr->dlen = ntohs(dchdr->dlen);

		if (dchdr->dlen > len || dchdr->dlen < 0) {

		if (dchdr->dlen > (len - sizeof(*dchdr)) || dchdr->dlen < 0) {

			pr_err("%s: dtsi cmd=%x error, len=%d\n",

				__func__, dchdr->dtype, dchdr->dlen);

			kfree(buf);