From 738ad6d0cf76ebc6f42ef209951281a66d84f1e6 Mon Sep 17 00:00:00 2001 From: Ashish Garg Date: Mon, 3 Jul 2017 22:23:53 +0530 Subject: [PATCH] msm: mdss: information leak during buffer copy from userspace While trying to write dsi commands from userspace, the user buffer is copied using simple_write_to_buffer. If the number of bytes in the user buffer is less than the destination buffer, the length was set to the destination buffer length. Subsequently the buffer could be read from userspace to dump a lot of uninitialized kernel heap data. Update the destination buffer with the correct size of bytes copied from the user buffer. Change-Id: Ib28f3698655d25ad8103fc02199a1d214092e232 Signed-off-by: Ashish Garg --- drivers/video/fbdev/msm/mdss_dsi.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/msm/mdss_dsi.c b/drivers/video/fbdev/msm/mdss_dsi.c index 82f6d4a123b5..4ac10ab494e5 100644 --- a/drivers/video/fbdev/msm/mdss_dsi.c +++ b/drivers/video/fbdev/msm/mdss_dsi.c @@ -909,10 +909,15 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, /* Writing in batches is possible */ ret = simple_write_to_buffer(string_buf, blen, ppos, p, count); + if (ret < 0) { + pr_err("%s: Failed to copy data\n", __func__); + mutex_unlock(&pcmds->dbg_mutex); + return -EINVAL; + } - string_buf[blen] = '\0'; + string_buf[ret] = '\0'; pcmds->string_buf = string_buf; - pcmds->sblen = blen; + pcmds->sblen = count; mutex_unlock(&pcmds->dbg_mutex); return ret; }