From 448ef21d7dfeb7d65f96fe996cce3aa3dc2fb682 Mon Sep 17 00:00:00 2001
From: Biswajit Dash <bisdash@google.com>
Date: Mon, 14 Jan 2019 12:17:26 -0800
Subject: [PATCH] touchscreen: sec_ts: Fix array OOB issues in the sec_ts touch
 driver.

sec_ts touch driver sysfs store callback had couple of userspace buffer copy
operations where it was not checking for validity of length being copied
from source buffer. This CL adds necessary boundary checks to make sure the
destination kernel buffer is not overflown.

Bug: 120211708
Bug: 120211415
Change-Id: I8bfe1ab9ae50d89ce12eeaf856204c20056a2061
Signed-off-by: Biswajit Dash <bisdash@google.com>
Signed-off-by: Danny Lin <danny@kdrag0n.dev>
---
 drivers/input/sec_cmd.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/drivers/input/sec_cmd.c b/drivers/input/sec_cmd.c
index 1110571ef016..2a082e912356 100644
--- a/drivers/input/sec_cmd.c
+++ b/drivers/input/sec_cmd.c
@@ -62,19 +62,20 @@ static ssize_t sec_cmd_store(struct device *dev,
 	struct sec_cmd_data *data = dev_get_drvdata(dev);
 	char *cur, *start, *end;
 	char buff[SEC_CMD_STR_LEN] = { 0 };
-	int len, i;
+	size_t len;
 	struct sec_cmd *sec_cmd_ptr = NULL;
 	char delim = ',';
 	bool cmd_found = false;
-	int param_cnt = 0;
+	unsigned int i, param_cnt = 0;
 
 	if (!data) {
 		pr_err("%s: No platform data found\n", __func__);
 		return -EINVAL;
 	}
 
-	if(strlen(buf) >= SEC_CMD_STR_LEN){		
-		pr_err("%s: cmd length is over (%s,%d)!!\n", __func__, buf, (int)strlen(buf));
+	if (count >= SEC_CMD_STR_LEN) {
+		pr_err("%s: cmd length is over (%s,%d)!!\n",
+		       __func__, buf, (int)count);
 		return -EINVAL;
 	}
 	if (data->cmd_is_running == true) {
@@ -89,7 +90,7 @@ static ssize_t sec_cmd_store(struct device *dev,
 	data->cmd_state = SEC_CMD_STATUS_RUNNING;
 	for (i = 0; i < ARRAY_SIZE(data->cmd_param); i++)
 		data->cmd_param[i] = 0;
-	len = (int)count;
+	len = count;
 	if (*(buf + len - 1) == '\n')
 		len--;
 	memset(data->cmd, 0x00, ARRAY_SIZE(data->cmd));
@@ -265,11 +266,12 @@ static ssize_t sec_cmd_store(struct device *dev, struct device_attribute *devatt
 		return -EINVAL;
 	}
 
-	if(strlen(buf) >= SEC_CMD_STR_LEN){		
-		pr_err("%s: cmd length is over (%s,%d)!!\n", __func__, buf, (int)strlen(buf));
+	if (count >= SEC_CMD_STR_LEN) {
+		pr_err("%s: cmd length is over (%s,%d)!!\n",
+		       __func__, buf, (int)count);
 		return -EINVAL;
 	}
-	strncpy(cmd.cmd, buf, count);
+	strlcpy(cmd.cmd, buf, sizeof(cmd.cmd));
 
 	mutex_lock(&data->fifo_lock);
 	if (kfifo_avail(&data->cmd_queue)) {