evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

net: ipc_router: fix leak of kernel memory to userspace

Browse source 
The service info structure is allocated with uninitialized memory for the
max number of services and returns the complete structure to the usersapce
resulting in the information leak if lookup operation finds less number of
services than the requested number.

Check the minimum of requested and available services and copy the minimum
information to the user-space.

CRs-Fixed: 965934
Change-Id: Ic97f875855fdc6440c1db1d8d0338ee8b03a9d0a
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
This commit is contained in:
Arun Kumar Neelakantam 2016-01-27 18:46:01 +05:30 committed by David Keitel
parent 77f8a75933
commit 6182fb00ae
1 changed files with 10 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
net/ipc_router/ipc_router_socket.c
View file

@ -482,13 +482,18 @@ static int msm_ipc_router_ioctl(struct socket *sock,
ret = copy_to_user((void *)arg, &server_arg,
sizeof(server_arg));
if (srv_info_sz) {
n = min(server_arg.num_entries_found,
server_arg.num_entries_in_array);
if (ret == 0 && n) {
ret = copy_to_user((void *)(arg + sizeof(server_arg)),
srv_info, srv_info_sz);
if (ret)
ret = -EFAULT;
kfree(srv_info);
srv_info, n * sizeof(*srv_info));
}
if (ret)
ret = -EFAULT;
kfree(srv_info);
break;
case IPC_ROUTER_IOCTL_BIND_CONTROL_PORT: