From: Deepak Shankar Date: Thu, 16 Aug 2018 09:29:17 +0000 (+0530) Subject: msm: ais: Fix out-of-bounds read in string class name X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=6ae64f78da509c5282ef14ce6491b38cd37a444b;p=sagit-ice-cold%2Fkernel_xiaomi_msm8998.git msm: ais: Fix out-of-bounds read in string class name jpeg driver is calling class_create with stack variable, which can be overwritten by other stack variables. Change-Id: I92ccd4629cef8a06b7715b8483cf53a9607bd22f Signed-off-by: Deepak Shankar Signed-off-by: Rahul Sharma --- diff --git a/drivers/media/platform/msm/ais/jpeg_10/msm_jpeg_dev.c b/drivers/media/platform/msm/ais/jpeg_10/msm_jpeg_dev.c index 88c822c50491..2e3b4fe6b025 100644 --- a/drivers/media/platform/msm/ais/jpeg_10/msm_jpeg_dev.c +++ b/drivers/media/platform/msm/ais/jpeg_10/msm_jpeg_dev.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -32,6 +32,8 @@ #define MSM_JPEG_NAME "jpeg" #define DEV_NAME_LEN 10 +static char devname[DEV_NAME_LEN]; + static int msm_jpeg_open(struct inode *inode, struct file *filp) { int rc = 0; @@ -185,7 +187,6 @@ static int msm_jpeg_init_dev(struct platform_device *pdev) struct msm_jpeg_device *msm_jpeg_device_p; const struct of_device_id *device_id; const struct msm_jpeg_priv_data *priv_data; - char devname[DEV_NAME_LEN]; msm_jpeg_device_p = kzalloc(sizeof(struct msm_jpeg_device), GFP_ATOMIC); if (!msm_jpeg_device_p) {