diff options
author | Ravi Kumar Siddojigari <rsiddoji@codeaurora.org> | 2016-09-20 14:27:36 +0530 |
---|---|---|
committer | Shantanu Jain <shjain@codeaurora.org> | 2016-10-03 17:27:52 +0530 |
commit | dab813eaa571e2784647e6732a04e34577dab427 (patch) | |
tree | af4cfdaa9dc75ccee5b4ff73aff4e5d4cb77a931 | |
parent | e4e58248efa8d03b39982c26566d846e2baa2687 (diff) |
input: synaptics_dsx: allocate heap memory for temp buf
There is a possible stack overflow vulnerability in the rmidev_write
function because the stack array size is from user space.
changes to allocate heap memory for the temporary buffer instead of
stack memory to prevent the stack overflow vulnerability.
As discussed under CVE-2016-3865 and ANDROID-28799389.
Change-Id: I20f639e09aaf3c533c98a12a2413570feae3d6d0
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>
-rw-r--r-- | drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c index 4c341ffb6094..9d61eb110e2f 100644 --- a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c +++ b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_rmi_dev.c @@ -347,7 +347,7 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf, size_t count, loff_t *f_pos) { ssize_t retval; - unsigned char tmpbuf[count + 1]; + unsigned char *tmpbuf; struct rmidev_data *dev_data = filp->private_data; if (IS_ERR(dev_data)) { @@ -361,6 +361,10 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf, if (count > (REG_ADDR_LIMIT - *f_pos)) count = REG_ADDR_LIMIT - *f_pos; + tmpbuf = kzalloc(count + 1, GFP_KERNEL); + if (!tmpbuf) + return -ENOMEM; + mutex_lock(&(dev_data->file_mutex)); retval = synaptics_rmi4_reg_read(rmidev->rmi4_data, @@ -377,7 +381,7 @@ static ssize_t rmidev_read(struct file *filp, char __user *buf, clean_up: mutex_unlock(&(dev_data->file_mutex)); - + kfree(tmpbuf); return retval; } @@ -393,7 +397,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, size_t count, loff_t *f_pos) { ssize_t retval; - unsigned char tmpbuf[count + 1]; + unsigned char *tmpbuf; struct rmidev_data *dev_data = filp->private_data; if (IS_ERR(dev_data)) { @@ -407,9 +411,14 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, if (count > (REG_ADDR_LIMIT - *f_pos)) count = REG_ADDR_LIMIT - *f_pos; - if (copy_from_user(tmpbuf, buf, count)) - return -EFAULT; + tmpbuf = kzalloc(count + 1, GFP_KERNEL); + if (!tmpbuf) + return -ENOMEM; + if (copy_from_user(tmpbuf, buf, count)) { + kfree(tmpbuf); + return -EFAULT; + } mutex_lock(&(dev_data->file_mutex)); retval = synaptics_rmi4_reg_write(rmidev->rmi4_data, @@ -420,7 +429,7 @@ static ssize_t rmidev_write(struct file *filp, const char __user *buf, *f_pos += retval; mutex_unlock(&(dev_data->file_mutex)); - + kfree(tmpbuf); return retval; } |