evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: ipa: Fix to validate the buffer size

Browse source 
Adding code changes to validate buffer size.
While calling ipa_read verifying the kernel buffer
size in range or not.

Change-Id: Idc608c2cf0587a00f19ece38a4eb646f7fde68e3
Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org>
This commit is contained in:
Praveen Kurapati 2019-01-17 15:36:31 +05:30
parent 7f8a8ced82
commit a411b9ceed
2 changed files with 32 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
drivers/platform/msm/ipa/ipa_v2/ipa_intf.c
View file

@ -1,4 +1,4 @@
/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved. /* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and * it under the terms of the GNU General Public License version 2 and
@ -735,6 +735,12 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count,
IPADBG("msg=%pK\n", msg); IPADBG("msg=%pK\n", msg);
locked = 0; locked = 0;
mutex_unlock(&ipa_ctx->msg_lock); mutex_unlock(&ipa_ctx->msg_lock);
if (count < sizeof(struct ipa_msg_meta)) {
kfree(msg);
msg = NULL;
ret = -EFAULT;
break;
}
if (copy_to_user(buf, &msg->meta, if (copy_to_user(buf, &msg->meta,
sizeof(struct ipa_msg_meta))) { sizeof(struct ipa_msg_meta))) {
kfree(msg); kfree(msg);
@ -745,8 +751,15 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count,
buf += sizeof(struct ipa_msg_meta); buf += sizeof(struct ipa_msg_meta);
count -= sizeof(struct ipa_msg_meta); count -= sizeof(struct ipa_msg_meta);
if (msg->buff) { if (msg->buff) {
if (copy_to_user(buf, msg->buff, if (count >= msg->meta.msg_len) {
msg->meta.msg_len)) { if (copy_to_user(buf, msg->buff,
msg->meta.msg_len)) {
kfree(msg);
msg = NULL;
ret = -EFAULT;
break;
}
} else {
kfree(msg); kfree(msg);
msg = NULL; msg = NULL;
ret = -EFAULT; ret = -EFAULT;

19
drivers/platform/msm/ipa/ipa_v3/ipa_intf.c
View file

@ -1,4 +1,4 @@
/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved. /* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and * it under the terms of the GNU General Public License version 2 and
@ -742,6 +742,12 @@ ssize_t ipa3_read(struct file *filp, char __user *buf, size_t count,
if (msg) { if (msg) {
locked = 0; locked = 0;
mutex_unlock(&ipa3_ctx->msg_lock); mutex_unlock(&ipa3_ctx->msg_lock);
if (count < sizeof(struct ipa_msg_meta)) {
kfree(msg);
msg = NULL;
ret = -EFAULT;
break;
}
if (copy_to_user(buf, &msg->meta, if (copy_to_user(buf, &msg->meta,
sizeof(struct ipa_msg_meta))) { sizeof(struct ipa_msg_meta))) {
ret = -EFAULT; ret = -EFAULT;
@ -752,8 +758,15 @@ ssize_t ipa3_read(struct file *filp, char __user *buf, size_t count,
buf += sizeof(struct ipa_msg_meta); buf += sizeof(struct ipa_msg_meta);
count -= sizeof(struct ipa_msg_meta); count -= sizeof(struct ipa_msg_meta);
if (msg->buff) { if (msg->buff) {
if (copy_to_user(buf, msg->buff, if (count >= msg->meta.msg_len) {
msg->meta.msg_len)) { if (copy_to_user(buf, msg->buff,
msg->meta.msg_len)) {
ret = -EFAULT;
kfree(msg);
msg = NULL;
break;
}
} else {
ret = -EFAULT; ret = -EFAULT;
kfree(msg); kfree(msg);
msg = NULL; msg = NULL;