Merge "drm/msm/dp: add checks to prevent buffer overflows"
This commit is contained in:
Linux Build Service Account
Gerrit - the friendly Code Review server
commit
3fca24c808
|
|
@ -192,6 +192,8 @@ static ssize_t dp_debug_write_dpcd(struct file *file,
|
||||||
goto bail;
|
goto bail;
|
||||||
|
|
||||||
size = min_t(size_t, count, SZ_2K);
|
size = min_t(size_t, count, SZ_2K);
|
||||||
|
if (size < 4)
|
||||||
|
goto bail;
|
||||||
|
|
||||||
buf = kzalloc(size, GFP_KERNEL);
|
buf = kzalloc(size, GFP_KERNEL);
|
||||||
if (ZERO_OR_NULL_PTR(buf)) {
|
if (ZERO_OR_NULL_PTR(buf)) {
|
||||||
|
|
@ -220,6 +222,8 @@ static ssize_t dp_debug_write_dpcd(struct file *file,
|
||||||
}
|
}
|
||||||
|
|
||||||
size -= 4;
|
size -= 4;
|
||||||
|
if (size == 0)
|
||||||
|
goto bail;
|
||||||
|
|
||||||
dpcd_size = size / char_to_nib;
|
dpcd_size = size / char_to_nib;
|
||||||
buf_t = buf + 4;
|
buf_t = buf + 4;
|
||||||
|
|
@ -271,6 +275,7 @@ static ssize_t dp_debug_read_dpcd(struct file *file,
|
||||||
|
|
||||||
len += snprintf(buf, SZ_8, "0x%x\n", debug->aux->reg);
|
len += snprintf(buf, SZ_8, "0x%x\n", debug->aux->reg);
|
||||||
|
|
||||||
|
len = min_t(size_t, count, len);
|
||||||
if (copy_to_user(user_buff, buf, len))
|
if (copy_to_user(user_buff, buf, len))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
|
||||||
|
|
@ -428,7 +433,7 @@ static ssize_t dp_debug_write_exe_mode(struct file *file,
|
||||||
const char __user *user_buff, size_t count, loff_t *ppos)
|
const char __user *user_buff, size_t count, loff_t *ppos)
|
||||||
{
|
{
|
||||||
struct dp_debug_private *debug = file->private_data;
|
struct dp_debug_private *debug = file->private_data;
|
||||||
char *buf;
|
char buf[SZ_32];
|
||||||
size_t len = 0;
|
size_t len = 0;
|
||||||
|
|
||||||
if (!debug)
|
if (!debug)
|
||||||
|
|
@ -437,8 +442,11 @@ static ssize_t dp_debug_write_exe_mode(struct file *file,
|
||||||
if (*ppos)
|
if (*ppos)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
/* Leave room for termination char */
|
||||||
len = min_t(size_t, count, SZ_32 - 1);
|
len = min_t(size_t, count, SZ_32 - 1);
|
||||||
buf = memdup_user(user_buff, len);
|
if (copy_from_user(buf, user_buff, len))
|
||||||
|
goto end;
|
||||||
|
|
||||||
buf[len] = '\0';
|
buf[len] = '\0';
|
||||||
|
|
||||||
if (sscanf(buf, "%3s", debug->exe_mode) != 1)
|
if (sscanf(buf, "%3s", debug->exe_mode) != 1)
|
||||||
|
|
@ -469,6 +477,7 @@ static ssize_t dp_debug_read_connected(struct file *file,
|
||||||
|
|
||||||
len += snprintf(buf, SZ_8, "%d\n", debug->usbpd->hpd_high);
|
len += snprintf(buf, SZ_8, "%d\n", debug->usbpd->hpd_high);
|
||||||
|
|
||||||
|
len = min_t(size_t, count, len);
|
||||||
if (copy_to_user(user_buff, buf, len))
|
if (copy_to_user(user_buff, buf, len))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
|
||||||
|
|
@ -532,6 +541,7 @@ static ssize_t dp_debug_read_edid_modes(struct file *file,
|
||||||
}
|
}
|
||||||
mutex_unlock(&connector->dev->mode_config.mutex);
|
mutex_unlock(&connector->dev->mode_config.mutex);
|
||||||
|
|
||||||
|
len = min_t(size_t, count, len);
|
||||||
if (copy_to_user(user_buff, buf, len)) {
|
if (copy_to_user(user_buff, buf, len)) {
|
||||||
kfree(buf);
|
kfree(buf);
|
||||||
rc = -EFAULT;
|
rc = -EFAULT;
|
||||||
|
|
@ -621,6 +631,7 @@ static ssize_t dp_debug_read_info(struct file *file, char __user *user_buff,
|
||||||
if (dp_debug_check_buffer_overflow(rc, &max_size, &len))
|
if (dp_debug_check_buffer_overflow(rc, &max_size, &len))
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
|
len = min_t(size_t, count, len);
|
||||||
if (copy_to_user(user_buff, buf, len))
|
if (copy_to_user(user_buff, buf, len))
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
|
|
@ -653,6 +664,7 @@ static ssize_t dp_debug_bw_code_read(struct file *file,
|
||||||
len += snprintf(buf + len, (SZ_4K - len),
|
len += snprintf(buf + len, (SZ_4K - len),
|
||||||
"max_bw_code = %d\n", debug->panel->max_bw_code);
|
"max_bw_code = %d\n", debug->panel->max_bw_code);
|
||||||
|
|
||||||
|
len = min_t(size_t, count, len);
|
||||||
if (copy_to_user(user_buff, buf, len)) {
|
if (copy_to_user(user_buff, buf, len)) {
|
||||||
kfree(buf);
|
kfree(buf);
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
|
@ -678,6 +690,7 @@ static ssize_t dp_debug_tpg_read(struct file *file,
|
||||||
|
|
||||||
len += snprintf(buf, SZ_8, "%d\n", debug->dp_debug.tpg_state);
|
len += snprintf(buf, SZ_8, "%d\n", debug->dp_debug.tpg_state);
|
||||||
|
|
||||||
|
len = min_t(size_t, count, len);
|
||||||
if (copy_to_user(user_buff, buf, len))
|
if (copy_to_user(user_buff, buf, len))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
|
||||||
|
|
@ -868,6 +881,7 @@ static ssize_t dp_debug_read_hdr(struct file *file,
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
len = min_t(size_t, count, len);
|
||||||
if (copy_to_user(user_buff, buf, len)) {
|
if (copy_to_user(user_buff, buf, len)) {
|
||||||
kfree(buf);
|
kfree(buf);
|
||||||
rc = -EFAULT;
|
rc = -EFAULT;
|
||||||
|
|
@ -1027,6 +1041,7 @@ static ssize_t dp_debug_read_dump(struct file *file,
|
||||||
print_hex_dump(KERN_DEBUG, prefix, DUMP_PREFIX_NONE,
|
print_hex_dump(KERN_DEBUG, prefix, DUMP_PREFIX_NONE,
|
||||||
16, 4, buf, len, false);
|
16, 4, buf, len, false);
|
||||||
|
|
||||||
|
len = min_t(size_t, count, len);
|
||||||
if (copy_to_user(user_buff, buf, len))
|
if (copy_to_user(user_buff, buf, len))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue