From fe9bb598453a5310326b8afa326189a6ed48876d Mon Sep 17 00:00:00 2001 From: Kaifu Hu Date: Tue, 18 Sep 2018 14:04:41 +0800 Subject: [PATCH] hdmitx: fix KASAN Bug in hdmitx_edid_parse [1/1] PD#173547: hdmitx: fix KASAN Bug in hdmitx_edid_parse BUG: KASAN: stack-out-of-bounds in hdmitx_edid_parse+0x22c/0x2c40 Read of size 1 at addr ffffffc047927a4f by task power@1.0-servi/2947 Change-Id: Ia1dda5aa80a9fc33a0e81eb9af51ea42a3731c66 Signed-off-by: Kaifu Hu --- drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_edid.c | 4 ++++ drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_edid.c b/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_edid.c index ca3c978..09f46f8 100644 --- a/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_edid.c +++ b/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_edid.c @@ -136,6 +136,10 @@ static void Edid_ParsingIDManufacturerName(struct rx_cap *pRxCap, brand[1] = ((data[0] & 0x3) << 3) + (data[1] >> 5); brand[2] = data[1] & 0x1f; + if (((brand[0] > 26) || (brand[0] == 0)) + || ((brand[1] > 26) || (brand[1] == 0)) + || ((brand[2] > 26) || (brand[2] == 0))) + return; for (i = 0; i < 3; i++) pRxCap->IDManufacturerName[i] = uppercase[brand[i] - 1]; } diff --git a/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c b/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c index f6e2c70..6ecf080 100644 --- a/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c +++ b/drivers/amlogic/media/vout/hdmitx/hdmi_tx_20/hdmi_tx_main.c @@ -596,7 +596,8 @@ static ssize_t show_attr(struct device *dev, ssize_t store_attr(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { - memcpy(hdmitx_device.fmt_attr, buf, sizeof(hdmitx_device.fmt_attr)); + strncpy(hdmitx_device.fmt_attr, buf, sizeof(hdmitx_device.fmt_attr)); + hdmitx_device.fmt_attr[15] = '\0'; return count; } /*aud_mode attr*/ @@ -2244,6 +2245,7 @@ static ssize_t show_hdr_cap(struct device *dev, int pos = 0; unsigned int i, j; struct rx_cap *pRXCap = &(hdmitx_device.RXCap); + pos += snprintf(buf + pos, PAGE_SIZE, "HDR Static Metadata:\n"); pos += snprintf(buf + pos, PAGE_SIZE, " Supported EOTF:\n"); pos += snprintf(buf + pos, PAGE_SIZE, " Traditional SDR: %d\n", @@ -3324,6 +3326,7 @@ static void clear_hdr_info(struct hdmitx_dev *hdev) { struct vinfo_s *info = hdmitx_get_current_vinfo(); unsigned int i; + if (info) { info->hdr_info.hdr_support = 0; for (i = 0; i < 4; i++) -- 2.7.4