From 6dec23e2d32dd103cb6ece90a831f3bb224a8f4f Mon Sep 17 00:00:00 2001 From: Nirmal Abraham Date: Fri, 16 Aug 2019 16:39:17 +0530 Subject: [PATCH] fbdev: msm: Avoid UAF in mdss_dsi_cmd_write In mdss_dsi_cmd_write, a failure in copying the cmds to 'string_buf' can cause an early return. In this case, the 'pcmds->string_buf' won't be pointing to a valid buffer. This can lead to use-after-free and memory leak. To avoid this, assign the newly allocated buffer to 'pcmds->string_buf' after returning from krealloc call. Change-Id: I286f12c86078d1989cb09453c8a395a4ad94b324 Signed-off-by: Nirmal Abraham --- drivers/video/fbdev/msm/mdss_dsi.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/msm/mdss_dsi.c b/drivers/video/fbdev/msm/mdss_dsi.c index 419991a98d4e..c2cfc8e0532e 100644 --- a/drivers/video/fbdev/msm/mdss_dsi.c +++ b/drivers/video/fbdev/msm/mdss_dsi.c @@ -888,7 +888,7 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, { struct buf_data *pcmds = file->private_data; ssize_t ret = 0; - int blen = 0; + unsigned int blen = 0; char *string_buf; mutex_lock(&pcmds->dbg_mutex); @@ -900,6 +900,11 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, /* Allocate memory for the received string */ blen = count + (pcmds->sblen); + if (blen > U32_MAX - 1) { + mutex_unlock(&pcmds->dbg_mutex); + return -EINVAL; + } + string_buf = krealloc(pcmds->string_buf, blen + 1, GFP_KERNEL); if (!string_buf) { pr_err("%s: Failed to allocate memory\n", __func__); @@ -907,6 +912,7 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, return -ENOMEM; } + pcmds->string_buf = string_buf; /* Writing in batches is possible */ ret = simple_write_to_buffer(string_buf, blen, ppos, p, count); if (ret < 0) { @@ -916,7 +922,6 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, } string_buf[ret] = '\0'; - pcmds->string_buf = string_buf; pcmds->sblen = count; mutex_unlock(&pcmds->dbg_mutex); return ret;