evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: mdss: Fix for wrong length in copy_to_user

Browse source 
The caller could have a small buf passed (less then < blen).
Since, the length of count and blen is not checked, it can
write beyond the end of buf.

Change-Id: I9138cd742b6166937f3cc1cbf1af36f280c94bdb
Signed-off-by: Rashi Bindra <rbindra@codeaurora.org>
This commit is contained in:
Rashi Bindra 2018-03-19 14:07:27 +05:30
parent 3e1f25e955
commit a9c93223f4
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
drivers/video/fbdev/msm/mdss_dsi.c
View file

@ -1,4 +1,4 @@
/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -760,7 +760,7 @@ static ssize_t mdss_dsi_cmd_state_read(struct file *file, char __user *buf,
if (blen < 0)
return 0;
if (copy_to_user(buf, buffer, blen))
if (copy_to_user(buf, buffer, min(count, (size_t)blen+1)))
return -EFAULT;
*ppos += blen;