From fed910ca51f2ec49cdf3ba57c9e649b0d3dc21e5 Mon Sep 17 00:00:00 2001 From: Ashish Garg Date: Fri, 9 Jun 2017 16:31:41 +0530 Subject: [PATCH] msm: mdss: validate the buffer size before allocating memory There is no validation of the "count" parameter, which is controlled by the user and used as a size of allocated memory. If the user provides a value of "0" for "count", then kmalloc would not return NULL, but also there will be a memory block of "zero" size. This can lead to buffer overflows. Also trying to access invalid memory will cause kernel crashes. Ensure to check that the number of bytes to be written is non-zero. If zero, return invalid input. Change-Id: I9613043881a91fd5a5f99337119c4a3d41493b54 Signed-off-by: Ashish Garg --- drivers/video/fbdev/msm/mdss_dsi.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/video/fbdev/msm/mdss_dsi.c b/drivers/video/fbdev/msm/mdss_dsi.c index 4f1333426113..adbcb97f8236 100644 --- a/drivers/video/fbdev/msm/mdss_dsi.c +++ b/drivers/video/fbdev/msm/mdss_dsi.c @@ -773,6 +773,11 @@ static ssize_t mdss_dsi_cmd_state_write(struct file *file, int *link_state = file->private_data; char *input; + if (!count) { + pr_err("%s: Zero bytes to be written\n", __func__); + return -EINVAL; + } + input = kmalloc(count, GFP_KERNEL); if (!input) { pr_err("%s: Failed to allocate memory\n", __func__);