efuse: fix potential memory info leakage issue [1/1]

PD#OTT-4656

Problem:
When handling the set attribute IOCTL EFUSE_INFO_GET the driver
makes a call to efuse_getinfo(line 177) passing it a potentially
non-null terminated string. efuse_getinfo() function then uses
this potentially non-null terminated string in strcmp (line 99).
the method efuse_getinfo does not cater to non-null terminated
strings and thus can likely be made to overrun the "item" string
beyond any printable ascii data.
Further more, if attackers can control the item value well enough,
the function efuse_getinfo can be used to potentially disclose
values in kernel memory i.e. by checking the results of lots of
strcmp calls on items values, essentially acting as an oracle for
memory values surrounding the efusekey_info[n].keyname variable in
stack memory.

Solution:
force a null terminator for the keyname argument before comparing
it to kernel memory

Verify:
U200

Change-Id: I851dd7045d0a9e7855e9899c4745eac475cb9233
Signed-off-by: Jiamin Ma <jiamin.ma@amlogic.com>

drivers/amlogic/efuse/efuse.c

@@ -114,6 +114,7 @@ static long efuse_unlocked_ioctl(struct file *file, unsigned int cmd,
 				__func__, __LINE__);
 			return ret;
 		}
+		info.title[sizeof(info.title) - 1] = '\0';
 
 		if (efuse_getinfo_byTitle(info.title, &info) < 0)
 			return  -EFAULT;

drivers/amlogic/efuse/efuse64.c

@@ -249,6 +249,7 @@ static long efuse_unlocked_ioctl(struct file *file, unsigned int cmd,
 				__func__, __LINE__);
 			return ret;
 		}
+		info.keyname[sizeof(info.keyname) - 1] = '\0';
 		if (efuse_getinfo(info.keyname, &info) < 0) {
 			pr_err("%s if not found\n", info.keyname);
 			return -EFAULT;