evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

scsi: ufs: Fix stack overflow read in ufs debugfs driver

Browse source 
When getting string from userspace by simple_write_to_buffer
in ufs_qcom_dbg_testbus_cfg_write() function, the string
copied to configuration is not terminated with '\0'. Thus
stack overflow read may occur while copying configuration to
host->testbus.select_major, which will result in information
leak later while printing error message. This change adds null
character at the end of the input string to avoid information
leak.

Change-Id: Ic9a9204def4bd6976f42f5f80ae5c0a9730afeb1
Signed-off-by: Sayali Lokhande <sayalil@codeaurora.org>
This commit is contained in:
Sayali Lokhande 2017-10-05 11:36:17 +05:30 committed by Gerrit - the friendly Code Review server
parent 82e598b10a
commit 644b4b6131
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
drivers/scsi/ufs/ufs-qcom-debugfs.c
View file

@ -111,7 +111,7 @@ static ssize_t ufs_qcom_dbg_testbus_cfg_write(struct file *file,
loff_t *ppos)
{
struct ufs_qcom_host *host = file->f_mapping->host->i_private;
char configuration[TESTBUS_CFG_BUFF_LINE_SIZE] = {0};
char configuration[TESTBUS_CFG_BUFF_LINE_SIZE] = {'\0'};
loff_t buff_pos = 0;
char *comma;
int ret = 0;
@ -128,6 +128,7 @@ static ssize_t ufs_qcom_dbg_testbus_cfg_write(struct file *file,
__func__);
goto out;
}
configuration[ret] = '\0';
comma = strnchr(configuration, TESTBUS_CFG_BUFF_LINE_SIZE, ',');
if (!comma || comma == configuration) {