samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

asoc: codecs: Fix out of bounds access in register show function

Browse Source 
In register show function, when snprintf returns a negative value
out of bounds access occurs while copying the data to user.
Add return value check on snprintf before copy_to_user
to fix this and add sizeof() for tmp_buff to avoid buffer
overflow.

Change-Id: I15f1add37987d2176a165669d7a5b40bd576004c
Signed-off-by: Prasad Kumpatla <nkumpat@codeaurora.org>
This commit is contained in:
Prasad Kumpatla
2020-04-09 17:24:02 +05:30
committed by Gerrit - the friendly Code Review server
parent d187ddf230
commit d173af6770
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
asoc/codecs/wsa883x/wsa883x.c
View File

@@ -254,7 +254,12 @@ static ssize_t swr_slave_reg_show(struct swr_device *pdev, char __user *ubuf,
swr_read(pdev, pdev->dev_num, i, &reg_val, 1); swr_read(pdev, pdev->dev_num, i, &reg_val, 1);
len = snprintf(tmp_buf, sizeof(tmp_buf), "0x%.3x: 0x%.2x\n", i, len = snprintf(tmp_buf, sizeof(tmp_buf), "0x%.3x: 0x%.2x\n", i,
(reg_val & 0xFF)); (reg_val & 0xFF));
if (((total + len) >= count - 1) || (len < 0)) if (len < 0) {
pr_err("%s: fail to fill the buffer\n", __func__);
total = -EFAULT;
goto copy_err;
}
if ((total + len) >= count - 1)
break; break;
if (copy_to_user((ubuf + total), tmp_buf, len)) { if (copy_to_user((ubuf + total), tmp_buf, len)) {
pr_err("%s: fail to copy reg dump\n", __func__); pr_err("%s: fail to copy reg dump\n", __func__);