From be08b4e4510978766bd14f74eaf38e52058785b6 Mon Sep 17 00:00:00 2001
From: Satya Rama Aditya Pinapala <psraditya30@codeaurora.org>
Date: Mon, 21 Oct 2019 13:47:52 -0700
Subject: [PATCH] disp: msm: add check for buffer length before copy

Length of the buffer to be copied is checked
against both source and destination buffer lengths
before copying. This ensures that there is  no
buffer overflow while reading as well as writing.

Change-Id: I4bd1a5892b47771aef4c23a4d1594fc1c8361577
Signed-off-by: Satya Rama Aditya Pinapala <psraditya30@codeaurora.org>
---
 msm/dsi/dsi_ctrl.c      |  5 +++++
 msm/sde/sde_connector.c |  5 ++++-
 msm/sde_rsc.c           | 10 ++++++++--
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/msm/dsi/dsi_ctrl.c b/msm/dsi/dsi_ctrl.c
index 599e8a9f5e..b922bb259d 100644
--- a/msm/dsi/dsi_ctrl.c
+++ b/msm/dsi/dsi_ctrl.c
@@ -116,6 +116,9 @@ static ssize_t debugfs_state_info_read(struct file *file,
 			dsi_ctrl->clk_freq.pix_clk_rate,
 			dsi_ctrl->clk_freq.esc_clk_rate);
 
+	if (len > count)
+		len = count;
+
 	len = min_t(size_t, len, SZ_4K);
 	if (copy_to_user(buff, buf, len)) {
 		kfree(buf);
@@ -171,6 +174,8 @@ static ssize_t debugfs_reg_dump_read(struct file *file,
 		return rc;
 	}
 
+	if (len > count)
+		len = count;
 
 	len = min_t(size_t, len, SZ_4K);
 	if (copy_to_user(buff, buf, len)) {
diff --git a/msm/sde/sde_connector.c b/msm/sde/sde_connector.c
index c45dc8ca52..7681aa0311 100644
--- a/msm/sde/sde_connector.c
+++ b/msm/sde/sde_connector.c
@@ -1731,7 +1731,10 @@ static ssize_t _sde_debugfs_conn_cmd_tx_sts_read(struct file *file,
 		return 0;
 	}
 
-	blen = min_t(size_t, MAX_CMD_PAYLOAD_SIZE, count);
+	if (blen > count)
+		blen = count;
+
+	blen = min_t(size_t, blen, MAX_CMD_PAYLOAD_SIZE);
 	if (copy_to_user(buf, buffer, blen)) {
 		SDE_ERROR("copy to user buffer failed\n");
 		return -EFAULT;
diff --git a/msm/sde_rsc.c b/msm/sde_rsc.c
index ed380bcbf9..10b17372d1 100644
--- a/msm/sde_rsc.c
+++ b/msm/sde_rsc.c
@@ -1105,7 +1105,10 @@ end:
 	if (blen <= 0)
 		return 0;
 
-	blen = min_t(size_t, MAX_BUFFER_SIZE, count);
+	if (blen > count)
+		blen = count;
+
+	blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
 	if (copy_to_user(buf, buffer, blen))
 		return -EFAULT;
 
@@ -1199,7 +1202,10 @@ end:
 	if (blen <= 0)
 		return 0;
 
-	blen = min_t(size_t, MAX_BUFFER_SIZE, count);
+	if (blen > count)
+		blen = count;
+
+	blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
 	if (copy_to_user(buf, buffer, blen))
 		return -EFAULT;