diff options
| author | Piazza Lo <piazza.lo@mediatek.com> | 2017-10-11 12:13:52 +0800 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2019-08-01 18:12:49 +0200 |
| commit | c825098b9a76e1c4ef6c05f80cdd8b6c756cbf08 (patch) | |
| tree | c3d63c6861055f5ab13b41f60fb5615ab9882aad /drivers/misc | |
| parent | 483a1f74b9b0a02130084aa8032abf0c98cca977 (diff) | |
Security Patch: mt_idle: avoid sscanf heap overflow
[Detail]
To add buffer size limitation in sscanf(%s)
M-ALPS03353869
CVE-2017-0827
BUG:65994220
Change-Id: Icebd9e86ca533dcd5425ed89c0488a64ed921f75
Signed-off-by: Piazza Lo <piazza.lo@mediatek.com>
Signed-off-by: Moyster <oysterized@gmail.com>
Diffstat (limited to 'drivers/misc')
| -rw-r--r-- | drivers/misc/mediatek/mach/mt6735/mt_idle.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/misc/mediatek/mach/mt6735/mt_idle.c b/drivers/misc/mediatek/mach/mt6735/mt_idle.c index ebf27625b..ae0912a9a 100644 --- a/drivers/misc/mediatek/mach/mt6735/mt_idle.c +++ b/drivers/misc/mediatek/mach/mt6735/mt_idle.c @@ -1067,7 +1067,7 @@ static ssize_t soidle_state_store(struct kobject *kobj, char cmd[32]; int param; - if (sscanf(buf, "%s %d", cmd, ¶m) == 2) { + if (sscanf(buf, "%31s %d", cmd, ¶m) == 2) { if (!strcmp(cmd, "soidle")) { idle_switch[IDLE_TYPE_SO] = param; } else if (!strcmp(cmd, "enable")) { @@ -1136,7 +1136,7 @@ static ssize_t dpidle_state_store(struct kobject *kobj, char cmd[32]; int param; - if (sscanf(buf, "%s %d", cmd, ¶m) == 2) { + if (sscanf(buf, "%31s %d", cmd, ¶m) == 2) { if (!strcmp(cmd, "dpidle")) { idle_switch[IDLE_TYPE_DP] = param; } else if (!strcmp(cmd, "enable")) { @@ -1195,7 +1195,7 @@ static ssize_t slidle_state_store(struct kobject *kobj, char cmd[32]; int param; - if (sscanf(buf, "%s %d", cmd, ¶m) == 2) { + if (sscanf(buf, "%31s %d", cmd, ¶m) == 2) { if (!strcmp(cmd, "slidle")) { idle_switch[IDLE_TYPE_SL] = param; } else if (!strcmp(cmd, "enable")) { @@ -1234,7 +1234,7 @@ static ssize_t rgidle_state_store(struct kobject *kobj, char cmd[32]; int param; - if (sscanf(buf, "%s %d", cmd, ¶m) == 2) { + if (sscanf(buf, "%31s %d", cmd, ¶m) == 2) { if (!strcmp(cmd, "rgidle")) { idle_switch[IDLE_TYPE_RG] = param; } @@ -1291,7 +1291,7 @@ static ssize_t idle_state_store(struct kobject *kobj, int idx; int param; - if (sscanf(buf, "%s %x", cmd, ¶m) == 2) { + if (sscanf(buf, "%31s %x", cmd, ¶m) == 2) { if (!strcmp(cmd, "switch")) { for (idx = 0; idx < NR_TYPES; idx++) { idle_switch[idx] = (param & (1U << idx)) ? 1 : 0; |