DivestOS/Patches/Linux_CVEs/CVE-2017-0518/3.18/0.patch

From 015d1d5dc8c42d6ab92a31b99cd9f089fae1d27e Mon Sep 17 00:00:00 2001
From: Dennis Cagle <d-cagle@codeaurora.org>
Date: Fri, 6 Jan 2017 15:50:35 -0800
Subject: [PATCH] QBT1000: check for null pointer before copying command

A null command buffer will cause a null pointer crash.
Check for it.

Bug: 32372915
Bug: 32370896
CRs-fixed: 1041652, 1081802
Change-Id: I37a0c8b9fe2c144fb4e75036509bf7ec07604ea7
Signed-off-by: Lior Barenboim <liorb@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
---
 drivers/soc/qcom/qbt1000.c | 7 +++++++
 1 file changed, 7 insertions(+)
 mode change 100644 => 100755 drivers/soc/qcom/qbt1000.c

diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c
old mode 100644
new mode 100755
index 135e2b834db30..101fcedd1f2c0
--- a/drivers/soc/qcom/qbt1000.c
+++ b/drivers/soc/qcom/qbt1000.c
@@ -862,6 +862,13 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
 		if (rc != 0)
 			goto end;
 
+		if (!aligned_cmd) {
+			dev_err(drvdata->dev, "%s: Null command buffer\n",
+				__func__);
+			rc = -EINVAL;
+			goto end;
+		}
+
 		rc = copy_from_user(aligned_cmd, (void __user *)tzcmd.req_buf,
 				tzcmd.req_buf_len);
 		if (rc != 0) {