msm: mdss: validate the buffer size before allocating memory

There is no validation of the "count" parameter, which is controlled by the user and used as a size of allocated memory. If the user provides a value of "0" for "count", then kmalloc would not return NULL, but also there will be a memory block of "zero" size. This can lead to buffer overflows. Also trying to access invalid memory will cause kernel crashes. Ensure to check that the number of bytes to be written is non-zero. If zero, return invalid input. Change-Id: I9613043881a91fd5a5f99337119c4a3d41493b54 Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
author: Ashish Garg <ashigarg@codeaurora.org> 2017-06-09 16:31:41 +0530
committer: Ashish Garg <ashigarg@codeaurora.org> 2017-06-09 16:32:00 +0530
commit: fed910ca51f2ec49cdf3ba57c9e649b0d3dc21e5 (patch)
tree: 5588b877b7d243d38ad6cfff659388b92fc0af9c /drivers/video/fbdev/msm
parent: 55a25be010f62b574938ef3da38c50738db78cff (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/video/fbdev/msm/mdss_dsi.c b/drivers/video/fbdev/msm/mdss_dsi.c
index 4f1333426113..adbcb97f8236 100644
--- a/drivers/video/fbdev/msm/mdss_dsi.c
+++ b/drivers/video/fbdev/msm/mdss_dsi.c
@@ -773,6 +773,11 @@ static ssize_t mdss_dsi_cmd_state_write(struct file *file,
 	int *link_state = file->private_data;
 	char *input;
 
+	if (!count) {
+		pr_err("%s: Zero bytes to be written\n", __func__);
+		return -EINVAL;
+	}
+
 	input = kmalloc(count, GFP_KERNEL);
 	if (!input) {
 		pr_err("%s: Failed to allocate memory\n", __func__);
author	Ashish Garg <ashigarg@codeaurora.org>	2017-06-09 16:31:41 +0530
committer	Ashish Garg <ashigarg@codeaurora.org>	2017-06-09 16:32:00 +0530
commit	fed910ca51f2ec49cdf3ba57c9e649b0d3dc21e5 (patch)
tree	5588b877b7d243d38ad6cfff659388b92fc0af9c /drivers/video/fbdev/msm
parent	55a25be010f62b574938ef3da38c50738db78cff (diff)