DivestOS/Patches/Linux_CVEs/CVE-2017-8243/4.4/0001.patch

40 lines
1.2 KiB
Diff
Raw Normal View History

2017-11-07 17:32:46 -05:00
From cae0d5a6f32e52e06c0841bb7142452062dc2ac8 Mon Sep 17 00:00:00 2001
From: Kishor PK <kpbhat@codeaurora.org>
Date: Thu, 30 Mar 2017 14:23:37 +0530
Subject: soc: qcom: pil: Avoid possible buffer overflow during Modem boot
Buffer overflow can occur if MBA firmware size exceeds 1MB.
So validate size before copying the firmware.
CRs-Fixed: 2001803
Change-Id: I070ddf85fbc47df072e7258369272366262ebf46
Signed-off-by: Kishor PK <kpbhat@codeaurora.org>
---
drivers/soc/qcom/pil-msa.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/pil-msa.c b/drivers/soc/qcom/pil-msa.c
index 53bddc5..988b6e8 100644
--- a/drivers/soc/qcom/pil-msa.c
+++ b/drivers/soc/qcom/pil-msa.c
@@ -616,7 +616,15 @@ int pil_mss_reset_load_mba(struct pil_desc *pil)
/* Load the MBA image into memory */
count = fw->size;
- memcpy(mba_dp_virt, data, count);
+ if (count <= SZ_1M) {
+ /* Ensures memcpy is done for max 1MB fw size */
+ memcpy(mba_dp_virt, data, count);
+ } else {
+ dev_err(pil->dev, "%s fw image loading into memory is failed due to fw size overflow\n",
+ __func__);
+ ret = -EINVAL;
+ goto err_mba_data;
+ }
/* Ensure memcpy of the MBA memory is done before loading the DP */
wmb();
--
cgit v1.1