msm: mdss: Fix possible memory overwrite in pgc config

Possible memory overwrite in pgc get config is fixed by
eliminating direct reference to user data.

Change-Id: I7117848bacb8e69720eb3121d02bbacf02cab13a
Signed-off-by: Sravan Kumar D.V.N <sravank1@codeaurora.org>

1 files changed, 9 insertions, 5 deletions

diff --git a/drivers/video/fbdev/msm/mdss_mdp_pp_v1_7.c b/drivers/video/fbdev/msm/mdss_mdp_pp_v1_7.c
index 9ef6a6634b78..aabf7c507376 100644
--- a/drivers/video/fbdev/msm/mdss_mdp_pp_v1_7.c
+++ b/drivers/video/fbdev/msm/mdss_mdp_pp_v1_7.c
@@ -1964,20 +1964,24 @@ static int pp_pgc_get_config(char __iomem *base_addr, void *cfg_data,
 	u32 *c0_data = NULL, *c1_data = NULL, *c2_data = NULL;
 	u32 val = 0, i = 0, sz = 0;
 	struct mdp_pgc_lut_data *pgc_data = NULL;
-	struct mdp_pgc_lut_data_v1_7  *pgc_data_v17 = NULL;
+	struct mdp_pgc_lut_data_v1_7  pgc_lut_data_v17;
+	struct mdp_pgc_lut_data_v1_7  *pgc_data_v17 = &pgc_lut_data_v17;
 	if (!base_addr || !cfg_data) {
 		pr_err("invalid params base_addr %pK cfg_data %pK block_type %d\n",
 		      base_addr, cfg_data, block_type);
 		return -EINVAL;
 	}
 	pgc_data = (struct mdp_pgc_lut_data *) cfg_data;
-	pgc_data_v17 = (struct mdp_pgc_lut_data_v1_7 *)
-			pgc_data->cfg_payload;
-	if (pgc_data->version != mdp_pgc_v1_7 || !pgc_data_v17) {
+	if (pgc_data->version != mdp_pgc_v1_7 || !pgc_data->cfg_payload) {
 		pr_err("invalid pgc version %d payload %pK\n",
-			pgc_data->version, pgc_data_v17);
+			pgc_data->version, pgc_data->cfg_payload);
 		return -EINVAL;
 	}
+	if (copy_from_user(pgc_data_v17, (void __user *) pgc_data->cfg_payload,
+			sizeof(*pgc_data_v17))) {
+		pr_err("copy from user failed for pgc lut data\n");
+		return -EFAULT;
+	}
 	if (!(pgc_data->flags & MDP_PP_OPS_READ)) {
 		pr_info("read ops is not set %d", pgc_data->flags);
 		return -EINVAL;