disp: msm: add check for buffer length before copy
Length of the buffer to be copied is checked against both source and destination buffer lengths before copying. This ensures that there is no buffer overflow while reading as well as writing. Change-Id: I4bd1a5892b47771aef4c23a4d1594fc1c8361577 Signed-off-by: Satya Rama Aditya Pinapala <psraditya30@codeaurora.org>
此提交包含在:
@@ -116,6 +116,9 @@ static ssize_t debugfs_state_info_read(struct file *file,
|
|||||||
dsi_ctrl->clk_freq.pix_clk_rate,
|
dsi_ctrl->clk_freq.pix_clk_rate,
|
||||||
dsi_ctrl->clk_freq.esc_clk_rate);
|
dsi_ctrl->clk_freq.esc_clk_rate);
|
||||||
|
|
||||||
|
if (len > count)
|
||||||
|
len = count;
|
||||||
|
|
||||||
len = min_t(size_t, len, SZ_4K);
|
len = min_t(size_t, len, SZ_4K);
|
||||||
if (copy_to_user(buff, buf, len)) {
|
if (copy_to_user(buff, buf, len)) {
|
||||||
kfree(buf);
|
kfree(buf);
|
||||||
@@ -171,6 +174,8 @@ static ssize_t debugfs_reg_dump_read(struct file *file,
|
|||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (len > count)
|
||||||
|
len = count;
|
||||||
|
|
||||||
len = min_t(size_t, len, SZ_4K);
|
len = min_t(size_t, len, SZ_4K);
|
||||||
if (copy_to_user(buff, buf, len)) {
|
if (copy_to_user(buff, buf, len)) {
|
||||||
|
@@ -1731,7 +1731,10 @@ static ssize_t _sde_debugfs_conn_cmd_tx_sts_read(struct file *file,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
blen = min_t(size_t, MAX_CMD_PAYLOAD_SIZE, count);
|
if (blen > count)
|
||||||
|
blen = count;
|
||||||
|
|
||||||
|
blen = min_t(size_t, blen, MAX_CMD_PAYLOAD_SIZE);
|
||||||
if (copy_to_user(buf, buffer, blen)) {
|
if (copy_to_user(buf, buffer, blen)) {
|
||||||
SDE_ERROR("copy to user buffer failed\n");
|
SDE_ERROR("copy to user buffer failed\n");
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
@@ -1105,7 +1105,10 @@ end:
|
|||||||
if (blen <= 0)
|
if (blen <= 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
blen = min_t(size_t, MAX_BUFFER_SIZE, count);
|
if (blen > count)
|
||||||
|
blen = count;
|
||||||
|
|
||||||
|
blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
|
||||||
if (copy_to_user(buf, buffer, blen))
|
if (copy_to_user(buf, buffer, blen))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
|
||||||
@@ -1199,7 +1202,10 @@ end:
|
|||||||
if (blen <= 0)
|
if (blen <= 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
blen = min_t(size_t, MAX_BUFFER_SIZE, count);
|
if (blen > count)
|
||||||
|
blen = count;
|
||||||
|
|
||||||
|
blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
|
||||||
if (copy_to_user(buf, buffer, blen))
|
if (copy_to_user(buf, buffer, blen))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
|
||||||
|
新增問題並參考
封鎖使用者