DivestOS/Patches/Linux_CVEs-New/CVE-2017-10997/ANY/0.patch

From fae242db5e1943ba878b4fb215fe6e7f1c387a20 Mon Sep 17 00:00:00 2001
From: Tony Truong <truong@codeaurora.org>
Date: Fri, 6 Jan 2017 14:03:03 -0800
Subject: msm: pcie: add bounds check for debugfs register write

Via debugfs nodes, users have the option to read and write to
any PCIe register. To ensure clients do not access registers
outside the PCIe range, add checks to validate the offset clients
provide.

Bug: 33039685
Change-Id: Ia35cd04c57f01c21a47962be596bca395b5ca247
Signed-off-by: Tony Truong <truong@codeaurora.org>
---
 drivers/pci/host/pci-msm.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/drivers/pci/host/pci-msm.c b/drivers/pci/host/pci-msm.c
index 1b80fa1..ffaa059 100644
--- a/drivers/pci/host/pci-msm.c
+++ b/drivers/pci/host/pci-msm.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -1691,8 +1691,15 @@ static void msm_pcie_sel_debug_testcase(struct msm_pcie_dev_t *dev,
 			dev->res[base_sel - 1].base,
 			wr_offset, wr_mask, wr_value);
 
-		msm_pcie_write_reg_field(dev->res[base_sel - 1].base,
-			wr_offset, wr_mask, wr_value);
+		base_sel_size = resource_size(dev->res[base_sel - 1].resource);
+
+		if (wr_offset >  base_sel_size - 4 ||
+			msm_pcie_check_align(dev, wr_offset))
+			pr_alert("PCIe: RC%d: Invalid wr_offset: 0x%x. wr_offset should be no more than 0x%x\n",
+				dev->rc_idx, wr_offset, base_sel_size - 4);
+		else
+			msm_pcie_write_reg_field(dev->res[base_sel - 1].base,
+				wr_offset, wr_mask, wr_value);
 
 		break;
 	case 13: /* dump all registers of base_sel */
-- 
cgit v1.1