input: synaptics: allocate heap memory for temp buf
dsx i2c operations structure include i2c write and i2c
read which accepts data from user space. Temp
buffers are allocated through variable length arrays
which can pose security problems. So allocate memory
on heap instead of stack to avoid this.
Issue: SEC-1893
Test: run sts-engbuild -m StsHostTestCases --test android.security.sts.Poc16_10#testPocCVE_2016_3940
Bug: 30141991
Change-Id: I0461f5419c4bd717380977ea435eff0861a9266a
Signed-off-by: Yueyao Zhu<yueyao@google.com>
(cherry picked from commit 29566432a8cd87ade2356be8203d287d620f2029)
diff --git a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_i2c.c b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_i2c.c
index 00b0d46..c4eb409 100644
--- a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_i2c.c
+++ b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_i2c.c
@@ -304,16 +304,17 @@
{
int retval;
unsigned char retry;
- unsigned char buf[length + 1];
+ unsigned char *buf;
struct i2c_client *i2c = to_i2c_client(rmi4_data->pdev->dev.parent);
- struct i2c_msg msg[] = {
- {
- .addr = i2c->addr,
- .flags = 0,
- .len = length + 1,
- .buf = buf,
- }
- };
+ struct i2c_msg msg[1];
+
+ buf = kzalloc(length + 1, GFP_KERNEL);
+ if (!buf) {
+ dev_err(rmi4_data->pdev->dev.parent,
+ "%s: Failed to alloc mem for buffer\n",
+ __func__);
+ return -ENOMEM;
+ }
buf[0] = addr & MASK_8BIT;
retval = secure_memcpy(&buf[1], length, &data[0], length, length);
@@ -332,6 +333,11 @@
goto exit;
}
+ msg[0].addr = i2c->addr;
+ msg[0].flags = 0;
+ msg[0].len = length + 1;
+ msg[0].buf = buf;
+
for (retry = 0; retry < SYN_I2C_RETRY_TIMES; retry++) {
if (i2c_transfer(i2c->adapter, msg, 1) == 1) {
retval = length;
@@ -352,6 +358,7 @@
exit:
mutex_unlock(&rmi4_data->rmi4_io_ctrl_mutex);
+ kfree(buf);
return retval;
}