DivestOS/Patches/Linux_CVEs/CVE-2016-2411/ANY/0001.patch

From 43e6938f37be0386fff4117e8aefff9be49bfe8a Mon Sep 17 00:00:00 2001
From: Mahesh Sivasubramanian <msivasub@codeaurora.org>
Date: Wed, 17 Feb 2016 14:36:32 -0700
Subject: msm: thermal: Add range checking for cluster_id

The cluster id flag is passed in from the userspace through ioctl
interface. Ensure correctness of cluster id to avoid out of bounds array
accesses.

CRS-fixed: 977508
Change-Id: I778b962d347b90488b983a15087b13e90ad06688
Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org>
---
 drivers/thermal/msm_thermal-dev.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/thermal/msm_thermal-dev.c b/drivers/thermal/msm_thermal-dev.c
index e1032bc..e6af6b8 100644
--- a/drivers/thermal/msm_thermal-dev.c
+++ b/drivers/thermal/msm_thermal-dev.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -114,6 +114,9 @@ static long msm_thermal_process_freq_table_req(struct msm_thermal_ioctl *query,
 	uint32_t table_idx, idx = 0, cluster_id = query->clock_freq.cluster_num;
 	struct clock_plan_arg *clock_freq = &(query->clock_freq);
 
+	if (cluster_id >= num_possible_cpus())
+		return -EINVAL;
+
 	if (!freq_table_len[cluster_id]) {
 		ret = msm_thermal_get_freq_plan_size(cluster_id,
 			&freq_table_len[cluster_id]);
@@ -200,6 +203,9 @@ static long msm_thermal_process_voltage_table_req(
 	uint32_t cluster_id = query->voltage.cluster_num;
 	struct voltage_plan_arg *voltage = &(query->voltage);
 
+	if (cluster_id >= num_possible_cpus())
+		return -EINVAL;
+
 	if (!voltage_table_ptr[cluster_id]) {
 		if (!freq_table_len[cluster_id]) {
 			ret = msm_thermal_get_freq_plan_size(cluster_id,
-- 
cgit v1.1