evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm : mdss: Avoid arbitrary free of scale_data in error condition

Browse source 
In mdss_fb_copy_destscaler_data function when the code enters error
section it may free up some arbitrary kernel address. This may
generate security vulnerability. Hence fixed the loop condition in
err: to real count of allocated buffer to avoid this arbitrary free.

Change-Id: I4014a3bf9cb0f5da994fa5c0233b7940009be0cd
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
This commit is contained in:
Harsh Sahu 2017-02-16 19:52:02 -08:00 committed by Gerrit - the friendly Code Review server
parent 7066afbbe9
commit 3ce6c47d21
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
drivers/video/fbdev/msm/mdss_fb.c
View file

@ -4471,7 +4471,7 @@ err:
static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
struct mdp_layer_commit *commit)
{
int i;
int i = 0;
int ret = 0;
u32 data_size;
struct mdp_destination_scaler_data __user *ds_data_user;
@ -4544,6 +4544,7 @@ static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
data_size);
if (ret) {
pr_err("scale data copy from user failed\n");
kfree(scale_data);
goto err;
}
}
@ -4553,7 +4554,7 @@ static int __mdss_fb_copy_destscaler_data(struct fb_info *info,
err:
if (ds_data) {
for (i = 0; i < commit->commit_v1.dest_scaler_cnt; i++) {
for (i--; i >= 0; i--) {
scale_data = to_user_ptr(ds_data[i].scale);
kfree(scale_data);
}