Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

touchscreen: sec_ts: Fix array OOB issues in the sec_ts touch driver. 

sec_ts touch driver sysfs store callback had couple of userspace buffer copy
operations where it was not checking for validity of length being copied
from source buffer. This CL adds necessary boundary checks to make sure the
destination kernel buffer is not overflown.

Bug: 120211708
Bug: 120211415
Change-Id: I8bfe1ab9ae50d89ce12eeaf856204c20056a2061
Signed-off-by: Biswajit Dash <bisdash@google.com>
Signed-off-by: Danny Lin <danny@kdrag0n.dev>
This commit is contained in:
Biswajit Dash 2019-01-14 12:17:26 -08:00 committed by L R
parent 8c60e92672
commit 448ef21d7d
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
drivers/input/sec_cmd.c
View File

@ -62,19 +62,20 @@ static ssize_t sec_cmd_store(struct device *dev,
struct sec_cmd_data *data = dev_get_drvdata(dev);
char *cur, *start, *end;
char buff[SEC_CMD_STR_LEN] = { 0 };
int len, i;
size_t len;
struct sec_cmd *sec_cmd_ptr = NULL;
char delim = ',';
bool cmd_found = false;
int param_cnt = 0;
unsigned int i, param_cnt = 0;
if (!data) {
pr_err("%s: No platform data found\n", __func__);
return -EINVAL;
}
if(strlen(buf) >= SEC_CMD_STR_LEN){
pr_err("%s: cmd length is over (%s,%d)!!\n", __func__, buf, (int)strlen(buf));
if (count >= SEC_CMD_STR_LEN) {
pr_err("%s: cmd length is over (%s,%d)!!\n",
__func__, buf, (int)count);
return -EINVAL;
}
if (data->cmd_is_running == true) {
@ -89,7 +90,7 @@ static ssize_t sec_cmd_store(struct device *dev,
data->cmd_state = SEC_CMD_STATUS_RUNNING;
for (i = 0; i < ARRAY_SIZE(data->cmd_param); i++)
data->cmd_param[i] = 0;
len = (int)count;
len = count;
if (*(buf + len - 1) == '\n')
len--;
memset(data->cmd, 0x00, ARRAY_SIZE(data->cmd));
@ -265,11 +266,12 @@ static ssize_t sec_cmd_store(struct device *dev, struct device_attribute *devatt
return -EINVAL;
}
if(strlen(buf) >= SEC_CMD_STR_LEN){
pr_err("%s: cmd length is over (%s,%d)!!\n", __func__, buf, (int)strlen(buf));
if (count >= SEC_CMD_STR_LEN) {
pr_err("%s: cmd length is over (%s,%d)!!\n",
__func__, buf, (int)count);
return -EINVAL;
}
strncpy(cmd.cmd, buf, count);
strlcpy(cmd.cmd, buf, sizeof(cmd.cmd));
mutex_lock(&data->fifo_lock);
if (kfifo_avail(&data->cmd_queue)) {