DivestOS/Patches/Linux_CVEs/CVE-2015-6642/ANY/0001.patch

From 4ad825ba2968666069740c3e80fe31ed3d0e29ba Mon Sep 17 00:00:00 2001
From: Arun Kumar Neelakantam <aneela@codeaurora.org>
Date: Wed, 27 Jan 2016 18:46:01 +0530
Subject: net: ipc_router: fix leak of kernel memory to userspace

The service info structure is allocated with uninitialized memory for the
max number of services and returns the complete structure to the usersapce
resulting in the information leak if lookup operation finds less number of
services than the requested number.

Check the minimum of requested and available services and copy the minimum
information to the user-space.

CRs-Fixed: 965934
Change-Id: Ic97f875855fdc6440c1db1d8d0338ee8b03a9d0a
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
---
 net/ipc_router/ipc_router_socket.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/net/ipc_router/ipc_router_socket.c b/net/ipc_router/ipc_router_socket.c
index b127120..c26993c 100644
--- a/net/ipc_router/ipc_router_socket.c
+++ b/net/ipc_router/ipc_router_socket.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -496,13 +496,18 @@ static int msm_ipc_router_ioctl(struct socket *sock,
 
 		ret = copy_to_user((void *)arg, &server_arg,
 				   sizeof(server_arg));
-		if (srv_info_sz) {
+
+		n = min(server_arg.num_entries_found,
+			server_arg.num_entries_in_array);
+
+		if (ret == 0 && n) {
 			ret = copy_to_user((void *)(arg + sizeof(server_arg)),
-					   srv_info, srv_info_sz);
-			if (ret)
-				ret = -EFAULT;
-			kfree(srv_info);
+					   srv_info, n * sizeof(*srv_info));
 		}
+
+		if (ret)
+			ret = -EFAULT;
+		kfree(srv_info);
 		break;
 
 	case IPC_ROUTER_IOCTL_BIND_CONTROL_PORT:
-- 
cgit v1.1