DivestOS/Patches/Linux_CVEs-New/CVE-2017-0462/ANY/0.patch

64 lines
2.2 KiB
Diff
Raw Normal View History

From eb7b1426279e751b1fc3e86f434dc349945c1ae7 Mon Sep 17 00:00:00 2001
From: ahmedsh <ahmedsh@codeaurora.org>
Date: Wed, 4 Jan 2017 16:00:27 -0500
Subject: seemp: use local stack mem when encoding params
Avoid race condition in driver when encoding param by
reading contents from a local copy instead of msg buffer
itself which can be mapped to user space.
Change-Id: I9f111c078baefca6e6f1fcda30af1044891a3356
Signed-off-by: Ahmed Sheikh <ahmedsh@codeaurora.org>
---
.../platform/msm/seemp_core/seemp_event_encoder.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/drivers/platform/msm/seemp_core/seemp_event_encoder.c b/drivers/platform/msm/seemp_core/seemp_event_encoder.c
index df56a84..36901f5 100644
--- a/drivers/platform/msm/seemp_core/seemp_event_encoder.c
+++ b/drivers/platform/msm/seemp_core/seemp_event_encoder.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2015, 2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -48,9 +48,15 @@ static void check_param_range(char *section_eq, bool param,
void encode_seemp_params(struct seemp_logk_blk *blk)
{
- char *s = blk->payload.msg + 1;
+ struct seemp_logk_blk tmp;
+ char *s = 0;
+ char *msg_section_start = 0;
+ char *msg_section_eq = 0;
+ char *msg_s = 0;
- blk->payload.msg[BLK_MAX_MSG_SZ - 1] = 0; /* zero-terminate */
+ memcpy(tmp.payload.msg, blk->payload.msg, BLK_MAX_MSG_SZ);
+ s = tmp.payload.msg + 1;
+ tmp.payload.msg[BLK_MAX_MSG_SZ - 1] = 0; /* zero-terminate */
while (true) {
char *section_start = s;
@@ -105,8 +111,13 @@ void encode_seemp_params(struct seemp_logk_blk *blk)
}
}
- encode_seemp_section(section_start, section_eq, s, param,
- numeric, id, numeric_value);
+ msg_section_start = blk->payload.msg + (section_start -
+ tmp.payload.msg);
+ msg_section_eq = blk->payload.msg + (section_eq -
+ tmp.payload.msg);
+ msg_s = blk->payload.msg + (s - tmp.payload.msg);
+ encode_seemp_section(msg_section_start, msg_section_eq,
+ msg_s, param, numeric, id, numeric_value);
if (*s == 0)
break;
--
cgit v1.1