evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: IPA: add the check on intf query

Browse source 
The ipa_ioc_query_intf_rx_props structure comes
from the ioctl handler, and it is verified that
the size of rx buffer does not exceed the
IPA_NUM_PROPS_MAX elements. It is also verified
that the "entry->rx" buffer does not exceed
IPA_NUM_PROPS_MAX when "entry" is allocated.
However, the sizes of the buffer "rx->rx" and
the buffer "entry->rx" are not guaranteed to
be the same and will lead memory corruption
issue. The fix is to add the check before
memcpy.

Change-Id: Idf5c2d32f47c1a1cffeaa5607193855188893ddb
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
This commit is contained in:
Skylar Chang 2017-03-01 16:08:27 -08:00
parent 660ab6c3a2
commit 8c08d0e498
2 changed files with 50 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
drivers/platform/msm/ipa/ipa_v2/ipa_intf.c
View file

@ -1,4 +1,4 @@
/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -272,6 +272,14 @@ int ipa_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx)
mutex_lock(&ipa_ctx->lock);
list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
if (!strncmp(entry->name, tx->name, IPA_RESOURCE_NAME_MAX)) {
/* add the entry check */
if (entry->num_tx_props != tx->num_tx_props) {
IPAERR("invalid entry number(%u %u)\n",
entry->num_tx_props,
tx->num_tx_props);
mutex_unlock(&ipa_ctx->lock);
return result;
}
memcpy(tx->tx, entry->tx, entry->num_tx_props *
sizeof(struct ipa_ioc_tx_intf_prop));
result = 0;
@ -305,6 +313,14 @@ int ipa_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx)
mutex_lock(&ipa_ctx->lock);
list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
if (!strncmp(entry->name, rx->name, IPA_RESOURCE_NAME_MAX)) {
/* add the entry check */
if (entry->num_rx_props != rx->num_rx_props) {
IPAERR("invalid entry number(%u %u)\n",
entry->num_rx_props,
rx->num_rx_props);
mutex_unlock(&ipa_ctx->lock);
return result;
}
memcpy(rx->rx, entry->rx, entry->num_rx_props *
sizeof(struct ipa_ioc_rx_intf_prop));
result = 0;
@ -338,6 +354,14 @@ int ipa_query_intf_ext_props(struct ipa_ioc_query_intf_ext_props *ext)
mutex_lock(&ipa_ctx->lock);
list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
if (!strcmp(entry->name, ext->name)) {
/* add the entry check */
if (entry->num_ext_props != ext->num_ext_props) {
IPAERR("invalid entry number(%u %u)\n",
entry->num_ext_props,
ext->num_ext_props);
mutex_unlock(&ipa_ctx->lock);
return result;
}
memcpy(ext->ext, entry->ext, entry->num_ext_props *
sizeof(struct ipa_ioc_ext_intf_prop));
result = 0;

26
drivers/platform/msm/ipa/ipa_v3/ipa_intf.c
View file

@ -1,4 +1,4 @@
/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -275,6 +275,14 @@ int ipa3_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx)
mutex_lock(&ipa3_ctx->lock);
list_for_each_entry(entry, &ipa3_ctx->intf_list, link) {
if (!strcmp(entry->name, tx->name)) {
/* add the entry check */
if (entry->num_tx_props != tx->num_tx_props) {
IPAERR("invalid entry number(%u %u)\n",
entry->num_tx_props,
tx->num_tx_props);
mutex_unlock(&ipa3_ctx->lock);
return result;
}
memcpy(tx->tx, entry->tx, entry->num_tx_props *
sizeof(struct ipa_ioc_tx_intf_prop));
result = 0;
@ -314,6 +322,14 @@ int ipa3_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx)
mutex_lock(&ipa3_ctx->lock);
list_for_each_entry(entry, &ipa3_ctx->intf_list, link) {
if (!strcmp(entry->name, rx->name)) {
/* add the entry check */
if (entry->num_rx_props != rx->num_rx_props) {
IPAERR("invalid entry number(%u %u)\n",
entry->num_rx_props,
rx->num_rx_props);
mutex_unlock(&ipa3_ctx->lock);
return result;
}
memcpy(rx->rx, entry->rx, entry->num_rx_props *
sizeof(struct ipa_ioc_rx_intf_prop));
result = 0;
@ -348,6 +364,14 @@ int ipa3_query_intf_ext_props(struct ipa_ioc_query_intf_ext_props *ext)
mutex_lock(&ipa3_ctx->lock);
list_for_each_entry(entry, &ipa3_ctx->intf_list, link) {
if (!strcmp(entry->name, ext->name)) {
/* add the entry check */
if (entry->num_ext_props != ext->num_ext_props) {
IPAERR("invalid entry number(%u %u)\n",
entry->num_ext_props,
ext->num_ext_props);
mutex_unlock(&ipa3_ctx->lock);
return result;
}
memcpy(ext->ext, entry->ext, entry->num_ext_props *
sizeof(struct ipa_ioc_ext_intf_prop));
result = 0;