DivestOS/Patches/Linux_CVEs/CVE-2017-8259/ANY/0.patch
2017-10-29 22:14:37 -04:00

51 lines
1.9 KiB
Diff

From 68020103af00280393da10039b968c95d68e526c Mon Sep 17 00:00:00 2001
From: Puja Gupta <pujag@codeaurora.org>
Date: Mon, 6 Mar 2017 15:04:11 -0800
Subject: soc: qcom: Avoid possible buffer overflow in service-locator
Fix possible buffer overflow by reading 'resp->total_domains' from the
qmi response message since 'resp->total_domains' indicate total number
of matching domains found by servreg.
'resp->domain_list_len' indicates the domains that could be sent in one
response which should not be greater than 'resp->total_domains'.
CRs-Fixed: 2009016
Change-Id: I614561c5f9bc996689129bc098baaffc9b59c377
Signed-off-by: Puja Gupta <pujag@codeaurora.org>
---
drivers/soc/qcom/service-locator.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/soc/qcom/service-locator.c b/drivers/soc/qcom/service-locator.c
index 8581ed5..0d6c1d6 100644
--- a/drivers/soc/qcom/service-locator.c
+++ b/drivers/soc/qcom/service-locator.c
@@ -266,10 +266,9 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd)
if (!domains_read) {
db_rev_count = pd->db_rev_count = resp->db_rev_count;
pd->total_domains = resp->total_domains;
- if (!pd->total_domains && resp->domain_list_len) {
- pr_err("total domains not set\n");
- pd->total_domains = resp->domain_list_len;
- }
+ if (!resp->total_domains)
+ pr_info("No matching domains found\n");
+
pd->domain_list = kmalloc(
sizeof(struct servreg_loc_entry_v01) *
resp->total_domains, GFP_KERNEL);
@@ -286,6 +285,10 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd)
rc = -EAGAIN;
goto out;
}
+ if (resp->domain_list_len > resp->total_domains) {
+ /* Always read total_domains from the response msg */
+ resp->domain_list_len = resp->total_domains;
+ }
/* Copy the response*/
store_get_domain_list_response(pd, resp, domains_read);
domains_read += resp->domain_list_len;
--
cgit v1.1