DivestOS/Patches/Linux_CVEs/CVE-2016-5854/0.patch

36 lines
1.1 KiB
Diff

From 28d23d4d7999f683b27b6e0c489635265b67a4c9 Mon Sep 17 00:00:00 2001
From: Amir Samuelov <amirs@codeaurora.org>
Date: Sat, 26 Nov 2016 18:44:06 +0200
Subject: spcom: check size before calling copy_to_user()
Calling copy_to_user(to, from, size) with negative value
might cause heap overflow since size is unsigned parameter
and negative value is cast to big unsigned value.
CRs-Fixed: 1092683
Change-Id: I9b4a0710aa33942de2976f7ee158a8025dd6a20e
Signed-off-by: Amir Samuelov <amirs@codeaurora.org>
---
drivers/soc/qcom/spcom.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/soc/qcom/spcom.c b/drivers/soc/qcom/spcom.c
index fcdcf0b..7cb538b 100644
--- a/drivers/soc/qcom/spcom.c
+++ b/drivers/soc/qcom/spcom.c
@@ -2125,6 +2125,11 @@ static ssize_t spcom_device_read(struct file *filp, char __user *user_buff,
return -ENOMEM;
actual_size = spcom_handle_read(ch, buf, size);
+ if ((actual_size <= 0) || (actual_size > size)) {
+ pr_err("invalid actual_size [%d].\n", actual_size);
+ kfree(buf);
+ return -EFAULT;
+ }
ret = copy_to_user(user_buff, buf, actual_size);
--
cgit v1.1