DivestOS/Patches/Linux_CVEs/CVE-2017-0518/3.18/0001.patch

40 lines
1.2 KiB
Diff
Raw Normal View History

From 015d1d5dc8c42d6ab92a31b99cd9f089fae1d27e Mon Sep 17 00:00:00 2001
From: Dennis Cagle <d-cagle@codeaurora.org>
Date: Fri, 6 Jan 2017 15:50:35 -0800
Subject: [PATCH] QBT1000: check for null pointer before copying command
A null command buffer will cause a null pointer crash.
Check for it.
Bug: 32372915
Bug: 32370896
CRs-fixed: 1041652, 1081802
Change-Id: I37a0c8b9fe2c144fb4e75036509bf7ec07604ea7
Signed-off-by: Lior Barenboim <liorb@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
---
drivers/soc/qcom/qbt1000.c | 7 +++++++
1 file changed, 7 insertions(+)
mode change 100644 => 100755 drivers/soc/qcom/qbt1000.c
diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c
old mode 100644
new mode 100755
index 135e2b834db30..101fcedd1f2c0
--- a/drivers/soc/qcom/qbt1000.c
+++ b/drivers/soc/qcom/qbt1000.c
@@ -862,6 +862,13 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
if (rc != 0)
goto end;
+ if (!aligned_cmd) {
+ dev_err(drvdata->dev, "%s: Null command buffer\n",
+ __func__);
+ rc = -EINVAL;
+ goto end;
+ }
+
rc = copy_from_user(aligned_cmd, (void __user *)tzcmd.req_buf,
tzcmd.req_buf_len);
if (rc != 0) {