evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: mdss: information leak during buffer copy from userspace

Browse source 
While trying to write dsi commands from userspace, the user buffer
is copied using simple_write_to_buffer. If the number of bytes in
the user buffer is less than the destination buffer, the length was
set to the destination buffer length. Subsequently the buffer could
be read from userspace to dump a lot of uninitialized kernel heap
data. Update the destination buffer with the correct size of bytes
copied from the user buffer.

Change-Id: Ib28f3698655d25ad8103fc02199a1d214092e232
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
This commit is contained in:
Ashish Garg 2017-07-03 22:23:53 +05:30
parent bc399a65c4
commit 738ad6d0cf
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
drivers/video/fbdev/msm/mdss_dsi.c
View file

@ -909,10 +909,15 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p,
/* Writing in batches is possible */
ret = simple_write_to_buffer(string_buf, blen, ppos, p, count);
if (ret < 0) {
pr_err("%s: Failed to copy data\n", __func__);
mutex_unlock(&pcmds->dbg_mutex);
return -EINVAL;
}
string_buf[blen] = '\0';
string_buf[ret] = '\0';
pcmds->string_buf = string_buf;
pcmds->sblen = blen;
pcmds->sblen = count;
mutex_unlock(&pcmds->dbg_mutex);
return ret;
}