From: Dan Carpenter dan.carpenter@oracle.com
[ Upstream commit d72cf01f410aa09868d98b672f3f92328c96b32d ]
This code will likely crash if we try to do a zero byte write. The code looks like this:
/* strip trailing whitespace */ for (i = count - 1; i > 0; i--) if (isspace(buf[i])) ...
We're writing zero bytes so count = 0. You would think that "count - 1" would be negative one, but because "i" is unsigned it is a large positive numer instead. The "i > 0" condition is true and the "buf[i]" access will be out of bounds.
The fix is to make "i" signed and now everything works as expected. The upper bound of "count" is capped in __kernel_write() at MAX_RW_COUNT so we don't have to worry about it being higher than INT_MAX.
Fixes: 02dd95fe3169 ("drm/tinydrm: Add MIPI DBI support") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com [noralf: Adjust title] Signed-off-by: Noralf Trønnes noralf@tronnes.org Link: https://patchwork.freedesktop.org/patch/msgid/20190821072456.GJ26957@mwanda Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/drm_mipi_dbi.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_mipi_dbi.c b/drivers/gpu/drm/drm_mipi_dbi.c index 1961f713aaab..c4ee2709a6f3 100644 --- a/drivers/gpu/drm/drm_mipi_dbi.c +++ b/drivers/gpu/drm/drm_mipi_dbi.c @@ -1187,8 +1187,7 @@ static ssize_t mipi_dbi_debugfs_command_write(struct file *file, struct mipi_dbi_dev *dbidev = m->private; u8 val, cmd = 0, parameters[64]; char *buf, *pos, *token; - unsigned int i; - int ret, idx; + int i, ret, idx;
if (!drm_dev_enter(&dbidev->drm, &idx)) return -ENODEV;