From faef150cd78f9a5dc4d7696904e575b2cc45ba7d Mon Sep 17 00:00:00 2001
From: "yang-cy.chen" <yang-cy.chen@mediatek.com>
Date: Tue, 19 Apr 2016 19:48:48 +0800
Subject: Fix "[Security Vulnerability] Thermal:potential buffer overflow"
 issue

Problem:
lack of boundary check of user input parameter before copy_from_user.

Solution:
Add boundary protection to prevent buffer overflow

Bug num:28085410

Change-Id: I178730c373ed3eab3e197b10362c987df659e4c3
Signed-off-by: yang-cy.chen <yang-cy.chen@mediatek.com>
(cherry picked from commit e2c408685e93f73ca16b9d5bc23a186f258a1617)
---
 drivers/misc/mediatek/thermal/mtk_cooler_cam.c | 2 ++
 drivers/misc/mediatek/thermal/mtk_cooler_vrt.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/drivers/misc/mediatek/thermal/mtk_cooler_cam.c b/drivers/misc/mediatek/thermal/mtk_cooler_cam.c
index d7f5b0b21..f51c42beb 100644
--- a/drivers/misc/mediatek/thermal/mtk_cooler_cam.c
+++ b/drivers/misc/mediatek/thermal/mtk_cooler_cam.c
@@ -38,6 +38,8 @@ static ssize_t _cl_cam_write(struct file *filp, const char __user *buf, size_t l
 	int ret = 0;
 	char tmp[MAX_LEN] = { 0 };
 
+        len = min(len,MAX_LEN-1);
+
 	/* write data to the buffer */
 	if (copy_from_user(tmp, buf, len)) {
 		return -EFAULT;
diff --git a/drivers/misc/mediatek/thermal/mtk_cooler_vrt.c b/drivers/misc/mediatek/thermal/mtk_cooler_vrt.c
index d5d348b3d..2b055341b 100644
--- a/drivers/misc/mediatek/thermal/mtk_cooler_vrt.c
+++ b/drivers/misc/mediatek/thermal/mtk_cooler_vrt.c
@@ -35,6 +35,8 @@ static ssize_t _cl_vrt_write(struct file *filp, const char __user *buf, size_t l
 	int ret = 0;
 	char tmp[MAX_LEN] = { 0 };
 
+        len = min(len,MAX_LEN-1);
+
 	/* write data to the buffer */
 	if (copy_from_user(tmp, buf, len)) {
 		return -EFAULT;
-- 
cgit v1.2.3