hdmitx: fix KASAN Bug in set_disp_mode_auto [1/1]

PD#173549: hdmitx: fix KASAN Bug in set_disp_mode_auto
==================================================================
BUG: KASAN: global-out-of-bounds in set_disp_mode_auto+0x244/0x870
Read of size 32 at addr ffffff900a67e4c0 by task power@1.0-servi/2924

CPU: 2 PID: 2924 Comm: power@1.0-servi Tainted: G    B      O    4.9.113 #1
Hardware name: Amlogic (DT)
Call trace:
[<ffffff900908ecc0>] dump_backtrace+0x0/0x368
[<ffffff900908f0cc>] show_stack+0x24/0x30
[<ffffff900963bdb0>] dump_stack+0xa0/0xc8
[<ffffff90092ba234>] print_address_description+0x144/0x258
[<ffffff90092ba6ac>] kasan_report+0x264/0x338
[<ffffff90092b8ff4>] check_memory_region+0x12c/0x1c0
[<ffffff90092b90dc>] __asan_loadN+0x14/0x20
[<ffffff9009c12804>] set_disp_mode_auto+0x244/0x870
[<ffffff9009c13994>] hdmitx_late_resume+0x1cc/0x288
[<ffffff9009da5f30>] early_suspend_trigger_store+0x1a8/0x1d0
[<ffffff9009640ac4>] kobj_attr_store+0x44/0x60
[<ffffff90093973b0>] sysfs_kf_write+0x98/0xb8
[<ffffff9009396134>] kernfs_fop_write+0x12c/0x270
[<ffffff90092c9888>] __vfs_write+0xd8/0x268
[<ffffff90092cae48>] vfs_write+0xd8/0x240
[<ffffff90092ccd8c>] SyS_write+0xc4/0x148
[<ffffff9009083f00>] el0_svc_naked+0x34/0x38

The buggy address belongs to the variable:
 all_fmt_paras+0x1460/0x14a0

Memory state around the buggy address:
 ffffff900a67e380: 00 07 fa fa fa fa fa fa 00 02 fa fa fa fa fa fa
 ffffff900a67e400: 00 07 fa fa fa fa fa fa 00 02 fa fa fa fa fa fa
>ffffff900a67e480: 00 07 fa fa fa fa fa fa 00 02 fa fa fa fa fa fa
                                              ^
 ffffff900a67e500: 00 07 fa fa fa fa fa fa 00 03 fa fa fa fa fa fa
 ffffff900a67e580: 00 04 fa fa fa fa fa fa 00 04 fa fa fa fa fa fa
==================================================================

Change-Id: Ie2435c031c04ac23e801cfefa80a29071c120b4f
Signed-off-by: Zongdong Jiao <zongdong.jiao@amlogic.com>

diff --git a/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c b/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c
index b56c31d..db37431 100644 (file)
--- a/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c
+++ b/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c
@@ -467,7 +467,7 @@ static int set_disp_mode_auto(void)
                hdev->para = hdmi_get_fmt_name("invalid", hdev->fmt_attr);
                return -1;
        }
-       memcpy(mode, info->name, sizeof(mode));
+       strncpy(mode, info->name, sizeof(mode));
        if (strstr(mode, "fp")) {
                int i = 0;