mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-06 13:18:02 -05:00
58 lines
1.9 KiB
Diff
58 lines
1.9 KiB
Diff
|
From 4ad825ba2968666069740c3e80fe31ed3d0e29ba Mon Sep 17 00:00:00 2001
|
||
|
From: Arun Kumar Neelakantam <aneela@codeaurora.org>
|
||
|
Date: Wed, 27 Jan 2016 18:46:01 +0530
|
||
|
Subject: net: ipc_router: fix leak of kernel memory to userspace
|
||
|
|
||
|
The service info structure is allocated with uninitialized memory for the
|
||
|
max number of services and returns the complete structure to the usersapce
|
||
|
resulting in the information leak if lookup operation finds less number of
|
||
|
services than the requested number.
|
||
|
|
||
|
Check the minimum of requested and available services and copy the minimum
|
||
|
information to the user-space.
|
||
|
|
||
|
CRs-Fixed: 965934
|
||
|
Change-Id: Ic97f875855fdc6440c1db1d8d0338ee8b03a9d0a
|
||
|
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
|
||
|
---
|
||
|
net/ipc_router/ipc_router_socket.c | 17 +++++++++++------
|
||
|
1 file changed, 11 insertions(+), 6 deletions(-)
|
||
|
|
||
|
diff --git a/net/ipc_router/ipc_router_socket.c b/net/ipc_router/ipc_router_socket.c
|
||
|
index b127120..c26993c 100644
|
||
|
--- a/net/ipc_router/ipc_router_socket.c
|
||
|
+++ b/net/ipc_router/ipc_router_socket.c
|
||
|
@@ -1,4 +1,4 @@
|
||
|
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
|
||
|
+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
|
||
|
*
|
||
|
* This program is free software; you can redistribute it and/or modify
|
||
|
* it under the terms of the GNU General Public License version 2 and
|
||
|
@@ -496,13 +496,18 @@ static int msm_ipc_router_ioctl(struct socket *sock,
|
||
|
|
||
|
ret = copy_to_user((void *)arg, &server_arg,
|
||
|
sizeof(server_arg));
|
||
|
- if (srv_info_sz) {
|
||
|
+
|
||
|
+ n = min(server_arg.num_entries_found,
|
||
|
+ server_arg.num_entries_in_array);
|
||
|
+
|
||
|
+ if (ret == 0 && n) {
|
||
|
ret = copy_to_user((void *)(arg + sizeof(server_arg)),
|
||
|
- srv_info, srv_info_sz);
|
||
|
- if (ret)
|
||
|
- ret = -EFAULT;
|
||
|
- kfree(srv_info);
|
||
|
+ srv_info, n * sizeof(*srv_info));
|
||
|
}
|
||
|
+
|
||
|
+ if (ret)
|
||
|
+ ret = -EFAULT;
|
||
|
+ kfree(srv_info);
|
||
|
break;
|
||
|
|
||
|
case IPC_ROUTER_IOCTL_BIND_CONTROL_PORT:
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|