tegra: dc: hdcp: Fix buffer overflow in driver
Pranami Bhattacharya [Thu, 22 Dec 2016 22:52:58 +0000 (14:52 -0800)]
- We are allocating a buffer of 16 bytes
- While assigning values to the buffer, we run past 16 bytes
- This leads to buffer overflow and can cause exploits
- We have now increased the packet size to 32 bytes
- This will avoid any overflow

Bug 1856227

Change-Id: Ic3cf1054efbbe06a0d7579dee236071cced9f592
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1275811
(cherry picked from commit b2f451bbc25fc64ac31fd33d2ead9ba011dd52a3)
Reviewed-on: http://git-master/r/1455421
Reviewed-by: Pranami Bhattacharya <pranamib@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Pranami Bhattacharya <pranamib@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

drivers/video/tegra/dc/hdmihdcp.c

index 17d1d2a..aa72265 100644 (file)
@@ -85,7 +85,7 @@ static DEFINE_RATELIMIT_STATE(ratelimit, 60*HZ, 5);
 
 #define HDCP_SERVICE_UUID              {0x13F616F9, 0x4A6F8572,\
                                 0xAA04F1A1, 0xFFF9059B}
-#define HDCP_PKT_SIZE                  16
+#define HDCP_PKT_SIZE                  32
 #define HDCP_SESSION_SUCCESS           0
 #define HDCP_SESSION_FAILURE           1
 #define HDCP_CMAC_OFFSET               6
@@ -1112,7 +1112,7 @@ static int tsec_hdcp_authentication(struct tegra_nvhdcp *nvhdcp,
                &hdcp_context->msg.rxcaps_capmask);
        if (err)
                goto exit;
-       pkt = kmalloc(HDCP_PKT_SIZE, GFP_KERNEL);
+       pkt = kzalloc(HDCP_PKT_SIZE, GFP_KERNEL);
        if (!pkt) {
                nvhdcp_err("Memory allocation failed!\n");
                goto exit;
@@ -1616,7 +1616,7 @@ static int link_integrity_check(struct tegra_nvhdcp *nvhdcp,
                                                        msecs_to_jiffies(10));
                        goto exit;
                }
-               pkt = kmalloc(HDCP_PKT_SIZE, GFP_KERNEL);
+               pkt = kzalloc(HDCP_PKT_SIZE, GFP_KERNEL);
                if (!pkt) {
                        nvhdcp_err("Memory allocation failed\n");
                        goto exit;