From 6ae64f78da509c5282ef14ce6491b38cd37a444b Mon Sep 17 00:00:00 2001 From: Deepak Shankar Date: Thu, 16 Aug 2018 14:59:17 +0530 Subject: [PATCH] msm: ais: Fix out-of-bounds read in string class name jpeg driver is calling class_create with stack variable, which can be overwritten by other stack variables. Change-Id: I92ccd4629cef8a06b7715b8483cf53a9607bd22f Signed-off-by: Deepak Shankar Signed-off-by: Rahul Sharma --- drivers/media/platform/msm/ais/jpeg_10/msm_jpeg_dev.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/msm/ais/jpeg_10/msm_jpeg_dev.c b/drivers/media/platform/msm/ais/jpeg_10/msm_jpeg_dev.c index 88c822c50491..2e3b4fe6b025 100644 --- a/drivers/media/platform/msm/ais/jpeg_10/msm_jpeg_dev.c +++ b/drivers/media/platform/msm/ais/jpeg_10/msm_jpeg_dev.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -32,6 +32,8 @@ #define MSM_JPEG_NAME "jpeg" #define DEV_NAME_LEN 10 +static char devname[DEV_NAME_LEN]; + static int msm_jpeg_open(struct inode *inode, struct file *filp) { int rc = 0; @@ -185,7 +187,6 @@ static int msm_jpeg_init_dev(struct platform_device *pdev) struct msm_jpeg_device *msm_jpeg_device_p; const struct of_device_id *device_id; const struct msm_jpeg_priv_data *priv_data; - char devname[DEV_NAME_LEN]; msm_jpeg_device_p = kzalloc(sizeof(struct msm_jpeg_device), GFP_ATOMIC); if (!msm_jpeg_device_p) { -- 2.11.0