DivestOS/Patches/Linux_CVEs/CVE-2016-5345/ANY/0.patch

From 67118716a2933f6f30a25ea7e3946569a8b191c6 Mon Sep 17 00:00:00 2001
From: Kamal Negi <kamaln@codeaurora.org>
Date: Wed, 19 Oct 2016 18:59:11 +0530
Subject: radio-iris: check argument values before copying the data

Check arguments passed in an ioctl before copying the data to kernel
buffers. If user sends an erroneous data, data length more than expected,
will lead to buffer overflow.

Change-Id: I663e937806f38dc3b04c8d7662cd8b045facd12b
Signed-off-by: Kamal Negi <kamaln@codeaurora.org>
---
 drivers/media/radio/radio-iris.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/drivers/media/radio/radio-iris.c b/drivers/media/radio/radio-iris.c
index b3088eb..bd4eb92 100644
--- a/drivers/media/radio/radio-iris.c
+++ b/drivers/media/radio/radio-iris.c
@@ -3884,8 +3884,20 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
 		bytes_to_copy = (ctrl->controls[0]).size;
 		spur_tbl_req.mode = data[0];
 		spur_tbl_req.no_of_freqs_entries = data[1];
-		spur_data = kmalloc((data[1] * SPUR_DATA_LEN) + 2,
-							GFP_ATOMIC);
+
+		if (((spur_tbl_req.no_of_freqs_entries * SPUR_DATA_LEN) !=
+					bytes_to_copy - 2) ||
+		    ((spur_tbl_req.no_of_freqs_entries * SPUR_DATA_LEN) >
+					2 * FM_SPUR_TBL_SIZE)) {
+			FMDERR("Invalid data len: data[1] = %d, bytes = %zu",
+				spur_tbl_req.no_of_freqs_entries,
+				bytes_to_copy);
+			retval = -EINVAL;
+			goto END;
+		}
+		spur_data =
+		    kmalloc((spur_tbl_req.no_of_freqs_entries * SPUR_DATA_LEN)
+							+ 2, GFP_ATOMIC);
 		if (!spur_data) {
 			FMDERR("Allocation failed for Spur data");
 			retval = -EFAULT;
@@ -3900,7 +3912,8 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
 
 		if (spur_tbl_req.no_of_freqs_entries <= ENTRIES_EACH_CMD) {
 			memcpy(&spur_tbl_req.spur_data[0], spur_data,
-					(data[1] * SPUR_DATA_LEN));
+				(spur_tbl_req.no_of_freqs_entries *
+							SPUR_DATA_LEN));
 			retval = radio_hci_request(radio->fm_hdev,
 					hci_fm_set_spur_tbl_req,
 					(unsigned long)&spur_tbl_req,
-- 
cgit v1.1