mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-01 19:06:25 -05:00
36 lines
1.1 KiB
Diff
36 lines
1.1 KiB
Diff
From 28d23d4d7999f683b27b6e0c489635265b67a4c9 Mon Sep 17 00:00:00 2001
|
|
From: Amir Samuelov <amirs@codeaurora.org>
|
|
Date: Sat, 26 Nov 2016 18:44:06 +0200
|
|
Subject: spcom: check size before calling copy_to_user()
|
|
|
|
Calling copy_to_user(to, from, size) with negative value
|
|
might cause heap overflow since size is unsigned parameter
|
|
and negative value is cast to big unsigned value.
|
|
|
|
CRs-Fixed: 1092683
|
|
Change-Id: I9b4a0710aa33942de2976f7ee158a8025dd6a20e
|
|
Signed-off-by: Amir Samuelov <amirs@codeaurora.org>
|
|
---
|
|
drivers/soc/qcom/spcom.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/drivers/soc/qcom/spcom.c b/drivers/soc/qcom/spcom.c
|
|
index fcdcf0b..7cb538b 100644
|
|
--- a/drivers/soc/qcom/spcom.c
|
|
+++ b/drivers/soc/qcom/spcom.c
|
|
@@ -2125,6 +2125,11 @@ static ssize_t spcom_device_read(struct file *filp, char __user *user_buff,
|
|
return -ENOMEM;
|
|
|
|
actual_size = spcom_handle_read(ch, buf, size);
|
|
+ if ((actual_size <= 0) || (actual_size > size)) {
|
|
+ pr_err("invalid actual_size [%d].\n", actual_size);
|
|
+ kfree(buf);
|
|
+ return -EFAULT;
|
|
+ }
|
|
|
|
ret = copy_to_user(user_buff, buf, actual_size);
|
|
|
|
--
|
|
cgit v1.1
|
|
|