disp: msm: add check for buffer length before copy

Length of the buffer to be copied is checked
against both source and destination buffer lengths
before copying. This ensures that there is  no
buffer overflow while reading as well as writing.

Change-Id: I4bd1a5892b47771aef4c23a4d1594fc1c8361577
Signed-off-by: Satya Rama Aditya Pinapala <[email protected]>

msm/dsi/dsi_ctrl.c

@@ -116,6 +116,9 @@ static ssize_t debugfs_state_info_read(struct file *file,
 			dsi_ctrl->clk_freq.pix_clk_rate,
 			dsi_ctrl->clk_freq.esc_clk_rate);
 
+	if (len > count)
+		len = count;
+
 	len = min_t(size_t, len, SZ_4K);
 	if (copy_to_user(buff, buf, len)) {
 		kfree(buf);
@@ -171,6 +174,8 @@ static ssize_t debugfs_reg_dump_read(struct file *file,
 		return rc;
 	}
 
+	if (len > count)
+		len = count;
 
 	len = min_t(size_t, len, SZ_4K);
 	if (copy_to_user(buff, buf, len)) {

msm/sde/sde_connector.c

@@ -1731,7 +1731,10 @@ static ssize_t _sde_debugfs_conn_cmd_tx_sts_read(struct file *file,
 		return 0;
 	}
 
-	blen = min_t(size_t, MAX_CMD_PAYLOAD_SIZE, count);
+	if (blen > count)
+		blen = count;
+
+	blen = min_t(size_t, blen, MAX_CMD_PAYLOAD_SIZE);
 	if (copy_to_user(buf, buffer, blen)) {
 		SDE_ERROR("copy to user buffer failed\n");
 		return -EFAULT;

msm/sde_rsc.c

@@ -1105,7 +1105,10 @@ end:
 	if (blen <= 0)
 		return 0;
 
-	blen = min_t(size_t, MAX_BUFFER_SIZE, count);
+	if (blen > count)
+		blen = count;
+
+	blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
 	if (copy_to_user(buf, buffer, blen))
 		return -EFAULT;
 
@@ -1199,7 +1202,10 @@ end:
 	if (blen <= 0)
 		return 0;
 
-	blen = min_t(size_t, MAX_BUFFER_SIZE, count);
+	if (blen > count)
+		blen = count;
+
+	blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
 	if (copy_to_user(buf, buffer, blen))
 		return -EFAULT;