disp: msm: add check for buffer length before copy

Length of the buffer to be copied is checked
against both source and destination buffer lengths
before copying. This ensures that there is  no
buffer overflow while reading as well as writing.

Change-Id: I4bd1a5892b47771aef4c23a4d1594fc1c8361577
Signed-off-by: Satya Rama Aditya Pinapala <psraditya30@codeaurora.org>
此提交包含在:
Satya Rama Aditya Pinapala
2019-10-21 13:47:52 -07:00
父節點 ca2fbfd531
當前提交 be08b4e451
共有 3 個檔案被更改,包括 17 行新增3 行删除

查看文件

@@ -116,6 +116,9 @@ static ssize_t debugfs_state_info_read(struct file *file,
dsi_ctrl->clk_freq.pix_clk_rate, dsi_ctrl->clk_freq.pix_clk_rate,
dsi_ctrl->clk_freq.esc_clk_rate); dsi_ctrl->clk_freq.esc_clk_rate);
if (len > count)
len = count;
len = min_t(size_t, len, SZ_4K); len = min_t(size_t, len, SZ_4K);
if (copy_to_user(buff, buf, len)) { if (copy_to_user(buff, buf, len)) {
kfree(buf); kfree(buf);
@@ -171,6 +174,8 @@ static ssize_t debugfs_reg_dump_read(struct file *file,
return rc; return rc;
} }
if (len > count)
len = count;
len = min_t(size_t, len, SZ_4K); len = min_t(size_t, len, SZ_4K);
if (copy_to_user(buff, buf, len)) { if (copy_to_user(buff, buf, len)) {

查看文件

@@ -1731,7 +1731,10 @@ static ssize_t _sde_debugfs_conn_cmd_tx_sts_read(struct file *file,
return 0; return 0;
} }
blen = min_t(size_t, MAX_CMD_PAYLOAD_SIZE, count); if (blen > count)
blen = count;
blen = min_t(size_t, blen, MAX_CMD_PAYLOAD_SIZE);
if (copy_to_user(buf, buffer, blen)) { if (copy_to_user(buf, buffer, blen)) {
SDE_ERROR("copy to user buffer failed\n"); SDE_ERROR("copy to user buffer failed\n");
return -EFAULT; return -EFAULT;

查看文件

@@ -1105,7 +1105,10 @@ end:
if (blen <= 0) if (blen <= 0)
return 0; return 0;
blen = min_t(size_t, MAX_BUFFER_SIZE, count); if (blen > count)
blen = count;
blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
if (copy_to_user(buf, buffer, blen)) if (copy_to_user(buf, buffer, blen))
return -EFAULT; return -EFAULT;
@@ -1199,7 +1202,10 @@ end:
if (blen <= 0) if (blen <= 0)
return 0; return 0;
blen = min_t(size_t, MAX_BUFFER_SIZE, count); if (blen > count)
blen = count;
blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
if (copy_to_user(buf, buffer, blen)) if (copy_to_user(buf, buffer, blen))
return -EFAULT; return -EFAULT;