OSDN Git Service

(root) / uclinux-h8 / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7cce8e4)
drm/msm: Truncate the buffer object name if the copy from user failed
authorJordan Crouse <jcrouse@codeaurora.org>
Tue, 19 Feb 2019 18:40:19 +0000 (11:40 -0700)
committerRob Clark <robdclark@gmail.com>
Tue, 19 Feb 2019 19:54:08 +0000 (14:54 -0500)
(Resend since there was a compile error that I forgot to commit before sending)

If there is a error while doing a copy_from_user() for MSM_INFO_SET_NAME
make sure to truncate the object name so that there isn't a chance that
we'll have random data in the string.

This is on top of [1] reported and fixed by Dan Carpenter.

[1] https://patchwork.freedesktop.org/series/56656/

Fixes: f05c83e77460 ("drm/msm: add uapi to get/set debug name")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
drivers/gpu/drm/msm/msm_drv.c patch | blob | history

diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
index 87eae44..906b2bb 100644 (file)
--- a/drivers/gpu/drm/msm/msm_drv.c
+++ b/drivers/gpu/drm/msm/msm_drv.c
@@ -852,8 +852,11 @@ static int msm_ioctl_gem_info(struct drm_device *dev, void *data,
                        break;
                }
                if (copy_from_user(msm_obj->name, u64_to_user_ptr(args->value),
-                                  args->len))
+                                  args->len)) {
+                       msm_obj->name[0] = '\0';
                        ret = -EFAULT;
+                       break;
+               }
                msm_obj->name[args->len] = '\0';
                for (i = 0; i < args->len; i++) {
                        if (!isprint(msm_obj->name[i])) {
About OSDN
Find Software
Develop Software
Help