aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoryang-cy.chen <yang-cy.chen@mediatek.com>2016-04-19 19:48:48 +0800
committerMoyster <oysterized@gmail.com>2016-08-26 16:02:12 +0200
commitfaef150cd78f9a5dc4d7696904e575b2cc45ba7d (patch)
tree2c567dfb8e17b889800859637d6a1eeb4988aeae
parent8e93e2bdfbb2ebf00a0b4f6d1693d7f5f8a66d4e (diff)
Fix "[Security Vulnerability] Thermal:potential buffer overflow" issue
Problem: lack of boundary check of user input parameter before copy_from_user. Solution: Add boundary protection to prevent buffer overflow Bug num:28085410 Change-Id: I178730c373ed3eab3e197b10362c987df659e4c3 Signed-off-by: yang-cy.chen <yang-cy.chen@mediatek.com> (cherry picked from commit e2c408685e93f73ca16b9d5bc23a186f258a1617)
Diffstat
-rw-r--r--drivers/misc/mediatek/thermal/mtk_cooler_cam.c2
-rw-r--r--drivers/misc/mediatek/thermal/mtk_cooler_vrt.c2
2 files changed, 4 insertions, 0 deletions
diff --git a/drivers/misc/mediatek/thermal/mtk_cooler_cam.c b/drivers/misc/mediatek/thermal/mtk_cooler_cam.c
index d7f5b0b21..f51c42beb 100644
--- a/drivers/misc/mediatek/thermal/mtk_cooler_cam.c
+++ b/drivers/misc/mediatek/thermal/mtk_cooler_cam.c
@@ -38,6 +38,8 @@ static ssize_t _cl_cam_write(struct file *filp, const char __user *buf, size_t l
int ret = 0;
char tmp[MAX_LEN] = { 0 };
+ len = min(len,MAX_LEN-1);
+
/* write data to the buffer */
if (copy_from_user(tmp, buf, len)) {
return -EFAULT;
diff --git a/drivers/misc/mediatek/thermal/mtk_cooler_vrt.c b/drivers/misc/mediatek/thermal/mtk_cooler_vrt.c
index d5d348b3d..2b055341b 100644
--- a/drivers/misc/mediatek/thermal/mtk_cooler_vrt.c
+++ b/drivers/misc/mediatek/thermal/mtk_cooler_vrt.c
@@ -35,6 +35,8 @@ static ssize_t _cl_vrt_write(struct file *filp, const char __user *buf, size_t l
int ret = 0;
char tmp[MAX_LEN] = { 0 };
+ len = min(len,MAX_LEN-1);
+
/* write data to the buffer */
if (copy_from_user(tmp, buf, len)) {
return -EFAULT;
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-14 21:12:25 +0000