diff options
| author | yang-cy.chen <yang-cy.chen@mediatek.com> | 2016-04-19 20:01:07 +0800 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2016-08-26 16:02:12 +0200 |
| commit | 88d70e960decc88e9d310a95e8ab7db7ca690f67 (patch) | |
| tree | 692e27c0e66fe163b149f360754aee5580773370 /drivers/power | |
| parent | faef150cd78f9a5dc4d7696904e575b2cc45ba7d (diff) | |
Fix "[Security Vulnerability] Battery:potential buffer overflow" issue
Problem:
potential buffer overflow through copy_from_user.
Solution:
Explicitly copy one byte since only need one byte data.
Bug num:28085222
Change-Id: I097d433f70267ddbaad1b08dfbdd9505467d300c
Signed-off-by: yang-cy.chen <yang-cy.chen@mediatek.com>
(cherry picked from commit 78aae38e1ec91b758317450c308a4cfd31bda3d3)
Diffstat (limited to 'drivers/power')
| -rw-r--r-- | drivers/power/mediatek/battery_common.c | 10 | ||||
| -rw-r--r-- | drivers/power/mediatek/battery_meter.c | 12 |
2 files changed, 11 insertions, 11 deletions
diff --git a/drivers/power/mediatek/battery_common.c b/drivers/power/mediatek/battery_common.c index ad854f110..a613e22e3 100644 --- a/drivers/power/mediatek/battery_common.c +++ b/drivers/power/mediatek/battery_common.c @@ -94,8 +94,6 @@ /* Battery Logging Entry */ /* ////////////////////////////////////////////////////////////////////////////// */ int Enable_BATDRV_LOG = BAT_LOG_CRTI; -/* static struct proc_dir_entry *proc_entry; */ -char proc_bat_data[32]; /* ///////////////////////////////////////////////////////////////////////////////////////// */ /* // Smart Battery Structure */ @@ -479,15 +477,17 @@ EXPORT_SYMBOL(wake_up_bat3); static ssize_t bat_log_write(struct file *filp, const char __user *buff, size_t len, loff_t *data) { - if (copy_from_user(&proc_bat_data, buff, len)) { + char proc_bat_data; + + if ((len <= 0) || copy_from_user(&proc_bat_data, buff, 1)) { battery_log(BAT_LOG_FULL, "bat_log_write error.\n"); return -EFAULT; } - if (proc_bat_data[0] == '1') { + if (proc_bat_data == '1') { battery_log(BAT_LOG_CRTI, "enable battery driver log system\n"); Enable_BATDRV_LOG = 1; - } else if (proc_bat_data[0] == '2') { + } else if (proc_bat_data == '2') { battery_log(BAT_LOG_CRTI, "enable battery driver log system:2\n"); Enable_BATDRV_LOG = 2; } else { diff --git a/drivers/power/mediatek/battery_meter.c b/drivers/power/mediatek/battery_meter.c index 794e164ca..56f5fa26d 100644 --- a/drivers/power/mediatek/battery_meter.c +++ b/drivers/power/mediatek/battery_meter.c @@ -54,9 +54,6 @@ int Enable_FGADC_LOG = 1; /* ============================================================ // */ BATTERY_METER_CONTROL battery_meter_ctrl = NULL; -/* static struct proc_dir_entry *proc_entry_fgadc; */ -static char proc_fgadc_data[32]; - kal_bool gFG_Is_Charging = KAL_FALSE; kal_int32 g_auxadc_solution = 0; U32 g_spm_timer = 600; @@ -3291,15 +3288,18 @@ kal_int32 battery_meter_get_VSense(void) static ssize_t fgadc_log_write(struct file *filp, const char __user *buff, size_t len, loff_t *data) { - if (copy_from_user(&proc_fgadc_data, buff, len)) { + + char proc_fgadc_data; + + if ((len <= 0) || copy_from_user(&proc_fgadc_data, buff, 1)) { bm_print(BM_LOG_CRTI, "fgadc_log_write error.\n"); return -EFAULT; } - if (proc_fgadc_data[0] == '1') { + if (proc_fgadc_data == '1') { bm_print(BM_LOG_CRTI, "enable FGADC driver log system\n"); Enable_FGADC_LOG = 1; - } else if (proc_fgadc_data[0] == '2') { + } else if (proc_fgadc_data == '2') { bm_print(BM_LOG_CRTI, "enable FGADC driver log system:2\n"); Enable_FGADC_LOG = 2; } else { |