Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

dev_freq: devfreq_spdm: add null terminator to prevent OOB access 

Add null terminator to end of buffered copied from user to prevent
over reading.

Change-Id: I80cfcb087ea2c335fd65d8fcdaf372c7d34a533d
Signed-off-by: David Dai <daidavid1@codeaurora.org>
This commit is contained in:
David Dai 2017-09-25 15:16:23 -07:00 committed by syphyr
parent 01d8ecac97
commit a189a10a90
1 changed files with 49 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
drivers/devfreq/devfreq_spdm_debugfs.c
View File

@ -34,7 +34,7 @@ static ssize_t enable_write(struct file *file, const char __user *data,
int i;
int next_idx;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
@ -42,6 +42,8 @@ static ssize_t enable_write(struct file *file, const char __user *data,
size = -EINVAL;
}
buf[size] = '\0';
if (sscanf(buf, "%u\n", &i) != 1) {
size = -EINVAL;
goto err;
@ -105,7 +107,7 @@ static ssize_t pl_write(struct file *file, const char __user *data,
int ext_status = 0;
int i;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
@ -113,6 +115,8 @@ static ssize_t pl_write(struct file *file, const char __user *data,
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u %u\n", &spdm_data->config_data.pl_freqs[0],
&spdm_data->config_data.pl_freqs[1]) != 2) {
size = -EINVAL;
@ -164,7 +168,7 @@ static ssize_t rejrate_low_write(struct file *file, const char __user *data,
struct spdm_args desc = { { 0 } };
int ext_status = 0;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
@ -172,6 +176,8 @@ static ssize_t rejrate_low_write(struct file *file, const char __user *data,
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u %u\n", &spdm_data->config_data.reject_rate[0],
&spdm_data->config_data.reject_rate[1]) != 2) {
size = -EINVAL;
@ -224,13 +230,16 @@ static ssize_t rejrate_med_write(struct file *file, const char __user *data,
struct spdm_args desc = { { 0 } };
int ext_status = 0;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
size = -EINVAL;
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u %u\n", &spdm_data->config_data.reject_rate[2],
&spdm_data->config_data.reject_rate[3]) != 2) {
size = -EINVAL;
@ -282,13 +291,16 @@ static ssize_t rejrate_high_write(struct file *file, const char __user *data,
struct spdm_args desc = { { 0 } };
int ext_status = 0;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
size = -EINVAL;
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u %u\n", &spdm_data->config_data.reject_rate[4],
&spdm_data->config_data.reject_rate[5]) != 2) {
size = -EINVAL;
@ -340,13 +352,16 @@ static ssize_t resptime_low_write(struct file *file, const char __user *data,
struct spdm_args desc = { { 0 } };
int ext_status = 0;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
size = -EINVAL;
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u %u\n", &spdm_data->config_data.response_time_us[0],
&spdm_data->config_data.response_time_us[1]) != 2) {
size = -EINVAL;
@ -398,13 +413,16 @@ static ssize_t resptime_med_write(struct file *file, const char __user *data,
struct spdm_args desc = { { 0 } };
int ext_status = 0;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
size = -EINVAL;
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u %u\n", &spdm_data->config_data.response_time_us[2],
&spdm_data->config_data.response_time_us[3]) != 2) {
size = -EINVAL;
@ -456,13 +474,16 @@ static ssize_t resptime_high_write(struct file *file, const char __user *data,
struct spdm_args desc = { { 0 } };
int ext_status = 0;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
size = -EINVAL;
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u %u\n", &spdm_data->config_data.response_time_us[4],
&spdm_data->config_data.response_time_us[5]) != 2) {
size = -EINVAL;
@ -515,13 +536,16 @@ static ssize_t cciresptime_low_write(struct file *file,
struct spdm_args desc = { { 0 } };
int ext_status = 0;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
size = -EINVAL;
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u %u\n",
&spdm_data->config_data.cci_response_time_us[0],
&spdm_data->config_data.cci_response_time_us[1]) != 2) {
@ -575,13 +599,16 @@ static ssize_t cciresptime_med_write(struct file *file,
struct spdm_args desc = { { 0 } };
int ext_status = 0;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
size = -EINVAL;
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u %u\n",
&spdm_data->config_data.cci_response_time_us[2],
&spdm_data->config_data.cci_response_time_us[3]) != 2) {
@ -635,13 +662,16 @@ static ssize_t cciresptime_high_write(struct file *file,
struct spdm_args desc = { { 0 } };
int ext_status = 0;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
size = -EINVAL;
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u %u\n",
&spdm_data->config_data.cci_response_time_us[4],
&spdm_data->config_data.cci_response_time_us[5]) != 2){
@ -694,13 +724,16 @@ static ssize_t cci_max_write(struct file *file, const char __user *data,
struct spdm_args desc = { { 0 } };
int ext_status = 0;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
size = -EINVAL;
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u\n", &spdm_data->config_data.max_cci_freq) != 1) {
size = -EINVAL;
goto out;
@ -748,13 +781,16 @@ static ssize_t vote_cfg_write(struct file *file, const char __user *data,
struct spdm_args desc = { { 0 } };
int ext_status = 0;
if (size > sizeof(buf))
if (size > sizeof(buf) - 1)
return -EINVAL;
if (copy_from_user(buf, data, size)) {
size = -EINVAL;
goto out;
}
buf[size] = '\0';
if (sscanf(buf, "%u %u %u %u\n", &spdm_data->config_data.upstep,
&spdm_data->config_data.downstep,
&spdm_data->config_data.max_vote,