samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

disp: msm: sde: ensure string buffer is properly terminated

Browse Source 
Give snprintf the max size posssible to store in buffer or
copy_to_user instead of just truncating in order to ensure
the output string is properly terminated.

Change-Id: Id387e99cd035e39530b2c7de9484c0288efff605
Signed-off-by: Steve Cohen <cohens@codeaurora.org>
This commit is contained in:
Steve Cohen
2020-02-04 15:15:40 -05:00
committed by Gerrit - the friendly Code Review server
parent f97e75d7ab
commit 1b7e54c362
2 changed files with 16 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
msm/sde_rsc.c
View File

@@ -1357,6 +1357,7 @@ static ssize_t _sde_debugfs_mode_ctrl_read(struct file *file, char __user *buf,
struct sde_rsc_priv *rsc = file->private_data;
char buffer[MAX_BUFFER_SIZE];
int blen = 0;
size_t max_size = min_t(size_t, count, MAX_BUFFER_SIZE);
if (*ppos || !rsc || !rsc->hw_ops.mode_ctrl)
return 0;
@@ -1364,23 +1365,23 @@ static ssize_t _sde_debugfs_mode_ctrl_read(struct file *file, char __user *buf,
mutex_lock(&rsc->client_lock);
if (rsc->current_state == SDE_RSC_IDLE_STATE) {
pr_debug("debug node is not supported during idle state\n");
blen = snprintf(buffer, MAX_BUFFER_SIZE,
blen = scnprintf(buffer, max_size,
"hw state is not supported during idle pc\n");
goto end;
}
blen = rsc->hw_ops.mode_ctrl(rsc, MODE_READ, buffer,
MAX_BUFFER_SIZE, 0);
blen = rsc->hw_ops.mode_ctrl(rsc, MODE_READ, buffer, max_size, 0);
end:
mutex_unlock(&rsc->client_lock);
if (blen <= 0)
return 0;
if (blen > count)
if (blen > count) {
blen = count;
buffer[count - 1] = '\0';
}
blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
if (copy_to_user(buf, buffer, blen))
return -EFAULT;
@@ -1447,6 +1448,7 @@ static ssize_t _sde_debugfs_vsync_mode_read(struct file *file, char __user *buf,
struct sde_rsc_priv *rsc = file->private_data;
char buffer[MAX_BUFFER_SIZE];
int blen = 0;
size_t max_size = min_t(size_t, count, MAX_BUFFER_SIZE);
if (*ppos || !rsc || !rsc->hw_ops.hw_vsync)
return 0;
@@ -1454,23 +1456,23 @@ static ssize_t _sde_debugfs_vsync_mode_read(struct file *file, char __user *buf,
mutex_lock(&rsc->client_lock);
if (rsc->current_state == SDE_RSC_IDLE_STATE) {
pr_debug("debug node is not supported during idle state\n");
blen = snprintf(buffer, MAX_BUFFER_SIZE,
blen = scnprintf(buffer, max_size,
"hw state is not supported during idle pc\n");
goto end;
}
blen = rsc->hw_ops.hw_vsync(rsc, VSYNC_READ, buffer,
MAX_BUFFER_SIZE, 0);
blen = rsc->hw_ops.hw_vsync(rsc, VSYNC_READ, buffer, max_size, 0);
end:
mutex_unlock(&rsc->client_lock);
if (blen <= 0)
return 0;
if (blen > count)
if (blen > count) {
blen = count;
buffer[count - 1] = '\0';
}
blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
if (copy_to_user(buf, buffer, blen))
return -EFAULT;