From 2e1f080dbb9178a0f99c3a52e15426fbedd31151 Mon Sep 17 00:00:00 2001
From: "jianxin.pan" <jianxin.pan@amlogic.com>
Date: Thu, 17 Aug 2017 20:31:47 +0800
Subject: [PATCH] security: fix security issues about memory and registers

PD#138714: fix security issuses
1.Kernel Memory Corruption in efuse_read_usr()
Kernel Memory Corruption in efuse_read_usr()

2.Audio SoC DebugFS Entry Allows Kernel Memory Corruption

3.Kernel Stack Buffer Overwrite in clk_test debugfs

4.Register DebugFS Entry Allows Kernel Memory Read

Change-Id: I49373967732dde10e589f07aaab313340ba726e7
Signed-off-by: jianxin.pan <jianxin.pan@amlogic.com>
---
 drivers/amlogic/clk/clk_test.c          | 2 +-
 drivers/amlogic/clk/m8b/clk_test.c      | 2 +-
 drivers/amlogic/efuse/efuse_hw64.c      | 4 ++++
 drivers/amlogic/reg_access/reg_access.c | 4 ++--
 sound/soc/soc-core.c                    | 2 +-
 5 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/drivers/amlogic/clk/clk_test.c b/drivers/amlogic/clk/clk_test.c
index 259771e762d7..ae2df3017e47 100644
--- a/drivers/amlogic/clk/clk_test.c
+++ b/drivers/amlogic/clk/clk_test.c
@@ -81,7 +81,7 @@ static ssize_t clk_test_write(struct file *file, const char __user *userbuf,
 
 	buf[count] = 0;
 
-	ret = sscanf(buf, "%s %s %lu", get_set, clk_name, &rate);
+	ret = sscanf(buf, "%3s %31s %lu", get_set, clk_name, &rate);
 	switch (ret) {
 	case 1:
 		pr_err("%s error usage!\n", __func__);
diff --git a/drivers/amlogic/clk/m8b/clk_test.c b/drivers/amlogic/clk/m8b/clk_test.c
index 675d5296ae9b..3db73a6da67b 100644
--- a/drivers/amlogic/clk/m8b/clk_test.c
+++ b/drivers/amlogic/clk/m8b/clk_test.c
@@ -84,7 +84,7 @@ static ssize_t clk_test_write(struct file *file, const char __user *userbuf,
 
 	buf[count] = 0;
 
-	ret = sscanf(buf, "%s %s %lu", get_set, clk_name, &rate);
+	ret = sscanf(buf, "%3s %31s %lu", get_set, clk_name, &rate);
 	switch (ret) {
 	case 1:
 		pr_err("%s error usage!\n", __func__);
diff --git a/drivers/amlogic/efuse/efuse_hw64.c b/drivers/amlogic/efuse/efuse_hw64.c
index b098e54ad170..e899680c1587 100644
--- a/drivers/amlogic/efuse/efuse_hw64.c
+++ b/drivers/amlogic/efuse/efuse_hw64.c
@@ -203,6 +203,8 @@ ssize_t efuse_read_usr(char *buf, size_t count, loff_t *ppos)
 	ssize_t ret;
 	loff_t pos;
 
+	if (count > EFUSE_BYTES)
+		count = EFUSE_BYTES;
 	memset(data, 0, count);
 
 	pdata = data;
@@ -225,6 +227,8 @@ ssize_t efuse_write_usr(char *buf, size_t count, loff_t *ppos)
 		pr_info("data length: 0 is error!\n");
 		return -1;
 	}
+	if (count > EFUSE_BYTES)
+		count = EFUSE_BYTES;
 
 	memset(data, 0, EFUSE_BYTES);
 
diff --git a/drivers/amlogic/reg_access/reg_access.c b/drivers/amlogic/reg_access/reg_access.c
index 1a07c061da75..030222c2ee53 100644
--- a/drivers/amlogic/reg_access/reg_access.c
+++ b/drivers/amlogic/reg_access/reg_access.c
@@ -189,9 +189,9 @@ static int __init aml_debug_init(void)
 	}
 	aml_dev.debugfs_reg_access = aml_reg_access;
 
-	debugfs_create_file("paddr", S_IFREG | 0444,
+	debugfs_create_file("paddr", S_IFREG | 0440,
 			    debugfs_root, &aml_dev, &paddr_file_ops);
-	debugfs_create_file("dump", S_IFREG | 0444,
+	debugfs_create_file("dump", S_IFREG | 0440,
 			    debugfs_root, &aml_dev, &dump_file_ops);
 	return 0;
 }
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 4e3de566809c..fad2ed8389a7 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -324,7 +324,7 @@ static void soc_init_codec_debugfs(struct snd_soc_component *component)
 {
 	struct snd_soc_codec *codec = snd_soc_component_to_codec(component);
 
-	codec->debugfs_reg = debugfs_create_file("codec_reg", 0644,
+	codec->debugfs_reg = debugfs_create_file("codec_reg", 0440,
 						 codec->component.debugfs_root,
 						 codec, &codec_reg_fops);
 	if (!codec->debugfs_reg)