DivestOS/Patches/Linux_CVEs/CVE-2017-8259/0.patch

From 68020103af00280393da10039b968c95d68e526c Mon Sep 17 00:00:00 2001
From: Puja Gupta <pujag@codeaurora.org>
Date: Mon, 6 Mar 2017 15:04:11 -0800
Subject: soc: qcom: Avoid possible buffer overflow in service-locator

Fix possible buffer overflow by reading 'resp->total_domains' from the
qmi response message since 'resp->total_domains' indicate total number
of matching domains found by servreg.
'resp->domain_list_len' indicates the domains that could be sent in one
response which should not be greater than 'resp->total_domains'.

CRs-Fixed: 2009016
Change-Id: I614561c5f9bc996689129bc098baaffc9b59c377
Signed-off-by: Puja Gupta <pujag@codeaurora.org>
---
 drivers/soc/qcom/service-locator.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/soc/qcom/service-locator.c b/drivers/soc/qcom/service-locator.c
index 8581ed5..0d6c1d6 100644
--- a/drivers/soc/qcom/service-locator.c
+++ b/drivers/soc/qcom/service-locator.c
@@ -266,10 +266,9 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd)
 		if (!domains_read) {
 			db_rev_count = pd->db_rev_count = resp->db_rev_count;
 			pd->total_domains = resp->total_domains;
-			if (!pd->total_domains && resp->domain_list_len) {
-				pr_err("total domains not set\n");
-				pd->total_domains = resp->domain_list_len;
-			}
+			if (!resp->total_domains)
+				pr_info("No matching domains found\n");
+
 			pd->domain_list = kmalloc(
 					sizeof(struct servreg_loc_entry_v01) *
 					resp->total_domains, GFP_KERNEL);
@@ -286,6 +285,10 @@ static int service_locator_send_msg(struct pd_qmi_client_data *pd)
 			rc = -EAGAIN;
 			goto out;
 		}
+		if (resp->domain_list_len >  resp->total_domains) {
+			/* Always read total_domains from the response msg */
+			resp->domain_list_len = resp->total_domains;
+		}
 		/* Copy the response*/
 		store_get_domain_list_response(pd, resp, domains_read);
 		domains_read += resp->domain_list_len;
-- 
cgit v1.1