From a9c93223f4faf3eeaaa25b813a1fdee41aba806e Mon Sep 17 00:00:00 2001 From: Rashi Bindra Date: Mon, 19 Mar 2018 14:07:27 +0530 Subject: [PATCH] msm: mdss: Fix for wrong length in copy_to_user The caller could have a small buf passed (less then < blen). Since, the length of count and blen is not checked, it can write beyond the end of buf. Change-Id: I9138cd742b6166937f3cc1cbf1af36f280c94bdb Signed-off-by: Rashi Bindra --- drivers/video/fbdev/msm/mdss_dsi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/msm/mdss_dsi.c b/drivers/video/fbdev/msm/mdss_dsi.c index 7b6153503af5..0d41f41371dd 100644 --- a/drivers/video/fbdev/msm/mdss_dsi.c +++ b/drivers/video/fbdev/msm/mdss_dsi.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -760,7 +760,7 @@ static ssize_t mdss_dsi_cmd_state_read(struct file *file, char __user *buf, if (blen < 0) return 0; - if (copy_to_user(buf, buffer, blen)) + if (copy_to_user(buf, buffer, min(count, (size_t)blen+1))) return -EFAULT; *ppos += blen;