msm: mdss: Fix for wrong length in copy_to_user

The caller could have a small buf passed (less then < blen). Since, the length of count and blen is not checked, it can write beyond the end of buf. Change-Id: I9138cd742b6166937f3cc1cbf1af36f280c94bdb Signed-off-by: Rashi Bindra <rbindra@codeaurora.org>
author: Rashi Bindra <rbindra@codeaurora.org> 2018-03-19 14:07:27 +0530
committer: Rashi Bindra <rbindra@codeaurora.org> 2018-03-19 17:06:12 +0530
commit: a9c93223f4faf3eeaaa25b813a1fdee41aba806e (patch)
tree: 4538160f5e7a28001e9db2cdbb258bea3e67103a
parent: 3e1f25e9559f01dcaf266c4ece9fee779af3e244 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/video/fbdev/msm/mdss_dsi.c b/drivers/video/fbdev/msm/mdss_dsi.c
index 7b6153503af5..0d41f41371dd 100644
--- a/drivers/video/fbdev/msm/mdss_dsi.c
+++ b/drivers/video/fbdev/msm/mdss_dsi.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -760,7 +760,7 @@ static ssize_t mdss_dsi_cmd_state_read(struct file *file, char __user *buf,
 	if (blen < 0)
 		return 0;
 
-	if (copy_to_user(buf, buffer, blen))
+	if (copy_to_user(buf, buffer, min(count, (size_t)blen+1)))
 		return -EFAULT;
 
 	*ppos += blen;
author	Rashi Bindra <rbindra@codeaurora.org>	2018-03-19 14:07:27 +0530
committer	Rashi Bindra <rbindra@codeaurora.org>	2018-03-19 17:06:12 +0530
commit	a9c93223f4faf3eeaaa25b813a1fdee41aba806e (patch)
tree	4538160f5e7a28001e9db2cdbb258bea3e67103a
parent	3e1f25e9559f01dcaf266c4ece9fee779af3e244 (diff)