evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: mdss: Fix possible memory overwrite in pgc config

Browse source 
Possible memory overwrite in pgc get config is fixed by
eliminating direct reference to user data.

Change-Id: I7117848bacb8e69720eb3121d02bbacf02cab13a
Signed-off-by: Sravan Kumar D.V.N <sravank1@codeaurora.org>
This commit is contained in:
Sravan Kumar D.V.N 2017-07-05 11:59:08 +05:30 committed by Gerrit - the friendly Code Review server
parent bb760cae59
commit 99a3334a22
1 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
drivers/video/fbdev/msm/mdss_mdp_pp_v1_7.c
View file

@ -1964,20 +1964,24 @@ static int pp_pgc_get_config(char __iomem *base_addr, void *cfg_data,
u32 *c0_data = NULL, *c1_data = NULL, *c2_data = NULL;
u32 val = 0, i = 0, sz = 0;
struct mdp_pgc_lut_data *pgc_data = NULL;
struct mdp_pgc_lut_data_v1_7 *pgc_data_v17 = NULL;
struct mdp_pgc_lut_data_v1_7 pgc_lut_data_v17;
struct mdp_pgc_lut_data_v1_7 *pgc_data_v17 = &pgc_lut_data_v17;
if (!base_addr || !cfg_data) {
pr_err("invalid params base_addr %pK cfg_data %pK block_type %d\n",
base_addr, cfg_data, block_type);
return -EINVAL;
}
pgc_data = (struct mdp_pgc_lut_data *) cfg_data;
pgc_data_v17 = (struct mdp_pgc_lut_data_v1_7 *)
pgc_data->cfg_payload;
if (pgc_data->version != mdp_pgc_v1_7 || !pgc_data_v17) {
if (pgc_data->version != mdp_pgc_v1_7 || !pgc_data->cfg_payload) {
pr_err("invalid pgc version %d payload %pK\n",
pgc_data->version, pgc_data_v17);
pgc_data->version, pgc_data->cfg_payload);
return -EINVAL;
}
if (copy_from_user(pgc_data_v17, (void __user *) pgc_data->cfg_payload,
sizeof(*pgc_data_v17))) {
pr_err("copy from user failed for pgc lut data\n");
return -EFAULT;
}
if (!(pgc_data->flags & MDP_PP_OPS_READ)) {
pr_info("read ops is not set %d", pgc_data->flags);
return -EINVAL;