projects / platform / kernel / linux-amlogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 160f1e2)
ir: fix ir memory overflow issue
authorjiamin ma <jiamin.ma@amlogic.com>
Wed, 9 May 2018 00:44:20 +0000 (08:44 +0800)
committerYixun Lan <yixun.lan@amlogic.com>
Thu, 10 May 2018 04:32:04 +0000 (21:32 -0700)
PD#164774: kernel panic after mtk_cfg80211_set_power_mgmt

two possible overflow cases:
1. dev->debug_current + len == dev->debug_buffer_size
2. len > dev->debug_buffer_size

for the first case(currently triggered case)
  the last byte of string pointed to by fmt, aka.'\0', will
overwrite the first byte of memory pointed to by header(in
function __register_sysctl_table), which is just the LSB of
ipv4_table[]'s base address. Leading to "Unable to handle
kernel paging request at virtual address xxxx" panic

for the second case
  a bunch of memory pointed to by header(in function
__register_sysctl_table) will be overwritten

Change-Id: I6bc42308323b7ffb52fe4d1fa9d22742a31e8b1f
Signed-off-by: jiamin ma <jiamin.ma@amlogic.com>
drivers/amlogic/input/remote/sysfs.c patch | blob | history

diff --git a/drivers/amlogic/input/remote/sysfs.c b/drivers/amlogic/input/remote/sysfs.c
index c4cea39..b7df3e5 100644 (file)
--- a/drivers/amlogic/input/remote/sysfs.c
+++ b/drivers/amlogic/input/remote/sysfs.c
@@ -174,12 +174,14 @@ int debug_log_printk(struct remote_dev *dev, const char *fmt)
        char *p;
        int len;
 
-       len = strlen(fmt);
+       len = strlen(fmt) + 1;
+       if (len > dev->debug_buffer_size)
+               return 0;
        if (dev->debug_current + len > dev->debug_buffer_size)
                dev->debug_current = 0;
        p = (char *)(dev->debug_buffer+dev->debug_current);
        strcpy(p, fmt);
-       dev->debug_current += len;
+       dev->debug_current += (len-1);
        return 0;
 }
 
Domain: System / Kernel;