DivestOS/Patches/Common/android_hardware_qcom_display/CVE-2019-2306-msm8960.patch

52 lines
2.3 KiB
Diff

From d3ed71555814de17fc7d1a9f8a8a1f2af5c21c08 Mon Sep 17 00:00:00 2001
From: Subash Chander <subash@codeaurora.org>
Date: Thu, 24 Jan 2019 15:33:57 +0530
Subject: [PATCH] Gralloc: Validate buffer parameters during importBuffer call
Validate buffer parameters like numInts, numFds, version etc of buffer
handle while importing the buffer
CRs-Fixed: 2337383
Change-Id: Ia1cb1cf05d845b5ef5b2feb476c2c924fa3bbf17
Signed-off-by: Subash Chander <subash@codeaurora.org>
---
libgralloc/gralloc_priv.h | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/libgralloc/gralloc_priv.h b/libgralloc/gralloc_priv.h
index 323cc7ac3..99d6b0f96 100644
--- a/libgralloc/gralloc_priv.h
+++ b/libgralloc/gralloc_priv.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2008 The Android Open Source Project
- * Copyright (c) 2011-2013, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2013, 2019 The Linux Foundation. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -227,15 +227,16 @@ struct private_handle_t : public native_handle {
static int validate(const native_handle* h) {
const private_handle_t* hnd = (const private_handle_t*)h;
if (!h || h->version != sizeof(native_handle) ||
- h->numInts != sNumInts || h->numFds != sNumFds ||
- hnd->magic != sMagic)
- {
+ h->numInts != sNumInts || h->numFds != sNumFds) {
ALOGD("Invalid gralloc handle (at %p): "
- "ver(%d/%d) ints(%d/%d) fds(%d/%d) magic(%c%c%c%c/%c%c%c%c)",
- h,
- h ? h->version : -1, sizeof(native_handle),
+ "ver(%d/%zu) ints(%d/%d) fds(%d/%d)",
+ h, h ? h->version : -1, sizeof(native_handle),
h ? h->numInts : -1, sNumInts,
- h ? h->numFds : -1, sNumFds,
+ h ? h->numFds : -1, sNumFds);
+ return -EINVAL;
+ }
+ if (hnd->magic != sMagic) {
+ ALOGD("magic(%c%c%c%c/%c%c%c%c)",
hnd ? (((hnd->magic >> 24) & 0xFF)?
((hnd->magic >> 24) & 0xFF) : '-') : '?',
hnd ? (((hnd->magic >> 16) & 0xFF)?