From 20beccf7d42121a67c7fd2d53993b61c950e1891 Mon Sep 17 00:00:00 2001 From: Trishansh Bhardwaj Date: Fri, 6 Jul 2018 16:08:12 +0530 Subject: [PATCH] msm: camera: Fix out-of-bounds read in string class name. jpeg driver is calling class_create with stack variable, which can be overwritten by other stack variables. Bug: 114041685 Change-Id: I3c22a5b3375b970ff6b1c6de983dd5833f4e11d0 Signed-off-by: Trishansh Bhardwaj Signed-off-by: VijayaKumar T M --- drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_dev.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_dev.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_dev.c index 06e3ee4c353b..5ef08cbe9aee 100644 --- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_dev.c +++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_dev.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -32,6 +32,8 @@ #define MSM_JPEG_NAME "jpeg" #define DEV_NAME_LEN 10 +static char devname[DEV_NAME_LEN]; + static int msm_jpeg_open(struct inode *inode, struct file *filp) { int rc = 0; @@ -185,7 +187,6 @@ static int msm_jpeg_init_dev(struct platform_device *pdev) struct msm_jpeg_device *msm_jpeg_device_p; const struct of_device_id *device_id; const struct msm_jpeg_priv_data *priv_data; - char devname[DEV_NAME_LEN]; msm_jpeg_device_p = kzalloc(sizeof(struct msm_jpeg_device), GFP_ATOMIC); if (!msm_jpeg_device_p) { @@ -328,6 +329,7 @@ static struct platform_driver msm_jpeg_driver = { static int __init msm_jpeg_driver_init(void) { int rc; + rc = platform_driver_register(&msm_jpeg_driver); return rc; }