DivestOS/Patches/Linux_CVEs/CVE-2017-0507/ANY/0001.patch

68 lines
2.0 KiB
Diff
Raw Normal View History

From 03c26a1d8c8687131da151c2e4bd5a04d08e0dec Mon Sep 17 00:00:00 2001
From: Ariel Yin <ayin@google.com>
Date: Fri, 13 Jan 2017 15:05:54 -0800
Subject: [PATCH] ANDROID: ion: check for kref overflow
Userspace can cause the kref to handles to increment
arbitrarily high. Ensure it does not overflow.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 31992382
Test: See bug for poc
Change-Id: I6bff1df385742b1d836d43180dc87fadcea80782
---
drivers/staging/android/ion/ion.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
index cc1b3bff392ac..48b6b86a61945 100644
--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -16,6 +16,8 @@
*
*/
+#include <linux/atomic.h>
+#include <linux/err.h>
#include <linux/file.h>
#include <linux/freezer.h>
#include <linux/fs.h>
@@ -400,6 +402,15 @@ static void ion_handle_get(struct ion_handle *handle)
kref_get(&handle->ref);
}
+/* Must hold the client lock */
+static struct ion_handle* ion_handle_get_check_overflow(struct ion_handle *handle)
+{
+ if (atomic_read(&handle->ref.refcount) + 1 == 0)
+ return ERR_PTR(-EOVERFLOW);
+ ion_handle_get(handle);
+ return handle;
+}
+
int ion_handle_put_nolock(struct ion_handle *handle)
{
int ret;
@@ -445,9 +456,9 @@ struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client,
handle = idr_find(&client->idr, id);
if (handle)
- ion_handle_get(handle);
+ return ion_handle_get_check_overflow(handle);
- return handle ? handle : ERR_PTR(-EINVAL);
+ return ERR_PTR(-EINVAL);
}
struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
@@ -1339,7 +1350,7 @@ struct ion_handle *ion_import_dma_buf(struct ion_client *client, int fd)
/* if a handle exists for this buffer just take a reference to it */
handle = ion_handle_lookup(client, buffer);
if (!IS_ERR(handle)) {
- ion_handle_get(handle);
+ handle = ion_handle_get_check_overflow(handle);
mutex_unlock(&client->lock);
goto end;
}