From: Zongdong Jiao <zongdong.jiao@amlogic.com>
Date: Thu, 13 Sep 2018 02:17:34 +0000 (+0800)
Subject: hdmitx: fix KASAN Bug in set_disp_mode_auto [1/1]
X-Git-Tag: khadas-vims-v0.9.6-release~995
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=21aed53e998a0e5beb4f36d07e8c5f950657922c;p=platform%2Fkernel%2Flinux-amlogic.git

hdmitx: fix KASAN Bug in set_disp_mode_auto [1/1]

PD#173549: hdmitx: fix KASAN Bug in set_disp_mode_auto
==================================================================
BUG: KASAN: global-out-of-bounds in set_disp_mode_auto+0x244/0x870
Read of size 32 at addr ffffff900a67e4c0 by task power@1.0-servi/2924

CPU: 2 PID: 2924 Comm: power@1.0-servi Tainted: G    B      O    4.9.113 #1
Hardware name: Amlogic (DT)
Call trace:
[<ffffff900908ecc0>] dump_backtrace+0x0/0x368
[<ffffff900908f0cc>] show_stack+0x24/0x30
[<ffffff900963bdb0>] dump_stack+0xa0/0xc8
[<ffffff90092ba234>] print_address_description+0x144/0x258
[<ffffff90092ba6ac>] kasan_report+0x264/0x338
[<ffffff90092b8ff4>] check_memory_region+0x12c/0x1c0
[<ffffff90092b90dc>] __asan_loadN+0x14/0x20
[<ffffff9009c12804>] set_disp_mode_auto+0x244/0x870
[<ffffff9009c13994>] hdmitx_late_resume+0x1cc/0x288
[<ffffff9009da5f30>] early_suspend_trigger_store+0x1a8/0x1d0
[<ffffff9009640ac4>] kobj_attr_store+0x44/0x60
[<ffffff90093973b0>] sysfs_kf_write+0x98/0xb8
[<ffffff9009396134>] kernfs_fop_write+0x12c/0x270
[<ffffff90092c9888>] __vfs_write+0xd8/0x268
[<ffffff90092cae48>] vfs_write+0xd8/0x240
[<ffffff90092ccd8c>] SyS_write+0xc4/0x148
[<ffffff9009083f00>] el0_svc_naked+0x34/0x38

The buggy address belongs to the variable:
 all_fmt_paras+0x1460/0x14a0

Memory state around the buggy address:
 ffffff900a67e380: 00 07 fa fa fa fa fa fa 00 02 fa fa fa fa fa fa
 ffffff900a67e400: 00 07 fa fa fa fa fa fa 00 02 fa fa fa fa fa fa
>ffffff900a67e480: 00 07 fa fa fa fa fa fa 00 02 fa fa fa fa fa fa
                                              ^
 ffffff900a67e500: 00 07 fa fa fa fa fa fa 00 03 fa fa fa fa fa fa
 ffffff900a67e580: 00 04 fa fa fa fa fa fa 00 04 fa fa fa fa fa fa
==================================================================

Change-Id: Ie2435c031c04ac23e801cfefa80a29071c120b4f
Signed-off-by: Zongdong Jiao <zongdong.jiao@amlogic.com>
---

diff --git a/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c b/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c
index b56c31d..db37431 100644
--- a/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c
+++ b/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c
@@ -467,7 +467,7 @@ static int set_disp_mode_auto(void)
 		hdev->para = hdmi_get_fmt_name("invalid", hdev->fmt_attr);
 		return -1;
 	}
-	memcpy(mode, info->name, sizeof(mode));
+	strncpy(mode, info->name, sizeof(mode));
 	if (strstr(mode, "fp")) {
 		int i = 0;