evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: camera: Prevent buffer overread in write_logsync.

Browse source 
If userspace issues write with string of length 21 or more then
there is a chance that kernel will overread lbuf array.
This change makes sure that lbuf is NULL terminated.

Change-Id: I9ad6d5a607b2ff1f293512be9746ee554b076b10
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
This commit is contained in:
Trishansh Bhardwaj 2017-12-22 11:53:26 +05:30 committed by Gerrit - the friendly Code Review server
parent 55cc722ec6
commit 1240d01e09
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
drivers/media/platform/msm/camera_v2/msm.c
View file

@ -1288,7 +1288,7 @@ static ssize_t write_logsync(struct file *file, const char __user *buf,
uint64_t seq_num = 0; uint64_t seq_num = 0;
int ret; int ret;
if (copy_from_user(lbuf, buf, sizeof(lbuf))) if (copy_from_user(lbuf, buf, sizeof(lbuf) - 1))
return -EFAULT; return -EFAULT;
ret = sscanf(lbuf, "%llu", &seq_num); ret = sscanf(lbuf, "%llu", &seq_num);