DivestOS/Patches/Linux_CVEs/CVE-2016-5857/ANY/0001.patch

From d9d2c405d46ca27b25ed55a8dbd02bd1e633e2d5 Mon Sep 17 00:00:00 2001
From: Amir Samuelov <amirs@codeaurora.org>
Date: Tue, 6 Dec 2016 18:18:16 +0200
Subject: spcom: check buf size for send modified command

Check buffer size validity before allocating kernel buffer.

CRs-Fixed: 1094140
Change-Id: I8c280b60f316d7bae87644104d18aa7df4af9efe
Signed-off-by: Amir Samuelov <amirs@codeaurora.org>
---
 drivers/soc/qcom/spcom.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/drivers/soc/qcom/spcom.c b/drivers/soc/qcom/spcom.c
index 0c5f3b8..48f1157 100644
--- a/drivers/soc/qcom/spcom.c
+++ b/drivers/soc/qcom/spcom.c
@@ -1407,6 +1407,11 @@ static int modify_ion_addr(void *buf,
 		return -ENODEV;
 	}
 
+	if (buf_size < sizeof(uint64_t)) {
+		pr_err("buf size too small [%d].\n", buf_size);
+		return -ENODEV;
+	}
+
 	if (buf_offset > buf_size - sizeof(uint64_t)) {
 		pr_err("invalid buf_offset [%d].\n", buf_offset);
 		return -ENODEV;
@@ -1469,6 +1474,16 @@ static int spcom_handle_send_modified_command(struct spcom_channel *ch,
 
 	pr_debug("send req/resp ch [%s] size [%d] .\n", ch->name, size);
 
+	/*
+	 * check that cmd buf size is at least struct size,
+	 * to allow access to struct fields.
+	 */
+	if (size < sizeof(*cmd)) {
+		pr_err("ch [%s] invalid cmd buf.\n",
+			ch->name);
+		return -EINVAL;
+	}
+
 	/* Check if remote side connect */
 	if (!spcom_is_channel_connected(ch)) {
 		pr_err("ch [%s] remote side not connect.\n", ch->name);
@@ -1481,6 +1496,18 @@ static int spcom_handle_send_modified_command(struct spcom_channel *ch,
 	timeout_msec = cmd->timeout_msec;
 	memcpy(ion_info, cmd->ion_info, sizeof(ion_info));
 
+	/* Check param validity */
+	if (buf_size > SPCOM_MAX_RESPONSE_SIZE) {
+		pr_err("ch [%s] invalid buf size [%d].\n",
+			ch->name, buf_size);
+		return -EINVAL;
+	}
+	if (size != sizeof(*cmd) + buf_size) {
+		pr_err("ch [%s] invalid cmd size [%d].\n",
+			ch->name, size);
+		return -EINVAL;
+	}
+
 	/* Allocate Buffers*/
 	tx_buf_size = sizeof(*hdr) + buf_size;
 	tx_buf = kzalloc(tx_buf_size, GFP_KERNEL);
@@ -1746,6 +1773,13 @@ static int spcom_handle_read_req_resp(struct spcom_channel *ch,
 		return -ENOTCONN;
 	}
 
+	/* Check param validity */
+	if (size > SPCOM_MAX_RESPONSE_SIZE) {
+		pr_err("ch [%s] inavlid size [%d].\n",
+			ch->name, size);
+		return -EINVAL;
+	}
+
 	/* Allocate Buffers*/
 	rx_buf_size = sizeof(*hdr) + size;
 	rx_buf = kzalloc(rx_buf_size, GFP_KERNEL);
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From d9d2c405d46ca27b25ed55a8dbd02bd1e633e2d5 Mon Sep 17 00:00:00 2001`
			`From: Amir Samuelov <amirs@codeaurora.org>`
			`Date: Tue, 6 Dec 2016 18:18:16 +0200`
			`Subject: spcom: check buf size for send modified command`

			`Check buffer size validity before allocating kernel buffer.`

			`CRs-Fixed: 1094140`
			`Change-Id: I8c280b60f316d7bae87644104d18aa7df4af9efe`
			`Signed-off-by: Amir Samuelov <amirs@codeaurora.org>`
			`---`
			`drivers/soc/qcom/spcom.c \| 34 ++++++++++++++++++++++++++++++++++`
			`1 file changed, 34 insertions(+)`

			`diff --git a/drivers/soc/qcom/spcom.c b/drivers/soc/qcom/spcom.c`
			`index 0c5f3b8..48f1157 100644`
			`--- a/drivers/soc/qcom/spcom.c`
			`+++ b/drivers/soc/qcom/spcom.c`
			`@@ -1407,6 +1407,11 @@ static int modify_ion_addr(void *buf,`
			`return -ENODEV;`
			`}`

			`+ if (buf_size < sizeof(uint64_t)) {`
			`+ pr_err("buf size too small [%d].\n", buf_size);`
			`+ return -ENODEV;`
			`+ }`
			`+`
			`if (buf_offset > buf_size - sizeof(uint64_t)) {`
			`pr_err("invalid buf_offset [%d].\n", buf_offset);`
			`return -ENODEV;`
			`@@ -1469,6 +1474,16 @@ static int spcom_handle_send_modified_command(struct spcom_channel *ch,`

			`pr_debug("send req/resp ch [%s] size [%d] .\n", ch->name, size);`

			`+ /*`
			`+ * check that cmd buf size is at least struct size,`
			`+ * to allow access to struct fields.`
			`+ */`
			`+ if (size < sizeof(*cmd)) {`
			`+ pr_err("ch [%s] invalid cmd buf.\n",`
			`+ ch->name);`
			`+ return -EINVAL;`
			`+ }`
			`+`
			`/* Check if remote side connect */`
			`if (!spcom_is_channel_connected(ch)) {`
			`pr_err("ch [%s] remote side not connect.\n", ch->name);`
			`@@ -1481,6 +1496,18 @@ static int spcom_handle_send_modified_command(struct spcom_channel *ch,`
			`timeout_msec = cmd->timeout_msec;`
			`memcpy(ion_info, cmd->ion_info, sizeof(ion_info));`

			`+ /* Check param validity */`
			`+ if (buf_size > SPCOM_MAX_RESPONSE_SIZE) {`
			`+ pr_err("ch [%s] invalid buf size [%d].\n",`
			`+ ch->name, buf_size);`
			`+ return -EINVAL;`
			`+ }`
			`+ if (size != sizeof(*cmd) + buf_size) {`
			`+ pr_err("ch [%s] invalid cmd size [%d].\n",`
			`+ ch->name, size);`
			`+ return -EINVAL;`
			`+ }`
			`+`
			`/* Allocate Buffers*/`
			`tx_buf_size = sizeof(*hdr) + buf_size;`
			`tx_buf = kzalloc(tx_buf_size, GFP_KERNEL);`
			`@@ -1746,6 +1773,13 @@ static int spcom_handle_read_req_resp(struct spcom_channel *ch,`
			`return -ENOTCONN;`
			`}`

			`+ /* Check param validity */`
			`+ if (size > SPCOM_MAX_RESPONSE_SIZE) {`
			`+ pr_err("ch [%s] inavlid size [%d].\n",`
			`+ ch->name, size);`
			`+ return -EINVAL;`
			`+ }`
			`+`
			`/* Allocate Buffers*/`
			`rx_buf_size = sizeof(*hdr) + size;`
			`rx_buf = kzalloc(rx_buf_size, GFP_KERNEL);`
			`--`
			`cgit v1.1`