DivestOS/Patches/Linux_CVEs/CVE-2017-0459/3.10/1.patch

From b4e374926ddc325840cda704aea1eb0c49d7f0e3 Mon Sep 17 00:00:00 2001
From: Skylar Chang <chiaweic@codeaurora.org>
Date: Wed, 30 Nov 2016 14:41:24 -0800
Subject: msm: ipa: fix the potential heap overflow on wan-driver

Add the check on rmnet_ipa3_set_tether_client_pipe API
to make sure not accessing move than QMI_IPA_MAX_PIPES_V01
entries when user-space module compromised.

Change-Id: I59d39c7e5743dfea17853b6c4709605d4ebae962
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
---
 drivers/platform/msm/ipa/rmnet_ipa.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/drivers/platform/msm/ipa/rmnet_ipa.c b/drivers/platform/msm/ipa/rmnet_ipa.c
index ddae8c5..c274ee1 100644
--- a/drivers/platform/msm/ipa/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/rmnet_ipa.c
@@ -2426,7 +2426,7 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data)
  *
  * Return codes:
  * 0: Success
- * -EFAULT: Invalid interface name provided
+ * -EFAULT: Invalid src/dst pipes provided
  * other: See ipa_qmi_set_data_quota
  */
 int rmnet_ipa_set_tether_client_pipe(
@@ -2434,6 +2434,23 @@ int rmnet_ipa_set_tether_client_pipe(
 {
 	int number, i;
 
+	/* error checking if ul_src_pipe_len valid or not*/
+	if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+		data->ul_src_pipe_len < 0) {
+		IPAWANERR("UL src pipes %d exceeding max %d\n",
+			data->ul_src_pipe_len,
+			QMI_IPA_MAX_PIPES_V01);
+		return -EFAULT;
+	}
+	/* error checking if dl_dst_pipe_len valid or not*/
+	if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
+		data->dl_dst_pipe_len < 0) {
+		IPAWANERR("DL dst pipes %d exceeding max %d\n",
+			data->dl_dst_pipe_len,
+			QMI_IPA_MAX_PIPES_V01);
+		return -EFAULT;
+	}
+
 	IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
 	data->ipa_client,
 	data->ul_src_pipe_len,
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From b4e374926ddc325840cda704aea1eb0c49d7f0e3 Mon Sep 17 00:00:00 2001`
			`From: Skylar Chang <chiaweic@codeaurora.org>`
			`Date: Wed, 30 Nov 2016 14:41:24 -0800`
			`Subject: msm: ipa: fix the potential heap overflow on wan-driver`

			`Add the check on rmnet_ipa3_set_tether_client_pipe API`
			`to make sure not accessing move than QMI_IPA_MAX_PIPES_V01`
			`entries when user-space module compromised.`

			`Change-Id: I59d39c7e5743dfea17853b6c4709605d4ebae962`
			`Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>`
			`---`
			`drivers/platform/msm/ipa/rmnet_ipa.c \| 19 ++++++++++++++++++-`
			`1 file changed, 18 insertions(+), 1 deletion(-)`

			`diff --git a/drivers/platform/msm/ipa/rmnet_ipa.c b/drivers/platform/msm/ipa/rmnet_ipa.c`
			`index ddae8c5..c274ee1 100644`
			`--- a/drivers/platform/msm/ipa/rmnet_ipa.c`
			`+++ b/drivers/platform/msm/ipa/rmnet_ipa.c`
			`@@ -2426,7 +2426,7 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data)`
			`*`
			`* Return codes:`
			`* 0: Success`
			`- * -EFAULT: Invalid interface name provided`
			`+ * -EFAULT: Invalid src/dst pipes provided`
			`* other: See ipa_qmi_set_data_quota`
			`*/`
			`int rmnet_ipa_set_tether_client_pipe(`
			`@@ -2434,6 +2434,23 @@ int rmnet_ipa_set_tether_client_pipe(`
			`{`
			`int number, i;`

			`+ /* error checking if ul_src_pipe_len valid or not*/`
			`+ if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 \|\|`
			`+ data->ul_src_pipe_len < 0) {`
			`+ IPAWANERR("UL src pipes %d exceeding max %d\n",`
			`+ data->ul_src_pipe_len,`
			`+ QMI_IPA_MAX_PIPES_V01);`
			`+ return -EFAULT;`
			`+ }`
			`+ /* error checking if dl_dst_pipe_len valid or not*/`
			`+ if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 \|\|`
			`+ data->dl_dst_pipe_len < 0) {`
			`+ IPAWANERR("DL dst pipes %d exceeding max %d\n",`
			`+ data->dl_dst_pipe_len,`
			`+ QMI_IPA_MAX_PIPES_V01);`
			`+ return -EFAULT;`
			`+ }`
			`+`
			`IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",`
			`data->ipa_client,`
			`data->ul_src_pipe_len,`
			`--`
			`cgit v1.1`