DivestOS/Patches/Linux_CVEs/CVE-2017-0620/ANY/0001.patch
2017-11-07 17:32:46 -05:00

61 lines
1.9 KiB
Diff

From 01b2c9a5d728ff6f2f1f28a5d4e927aaeabf56ed Mon Sep 17 00:00:00 2001
From: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
Date: Tue, 25 Oct 2016 16:35:23 -0700
Subject: soc: qcom: scm: add check to avoid buffer overflow
There is a posibility of a buffer overflow in scm_call,
add check to avoid the same.
Change-Id: Iee908c56ec530569b35dafa060139e0428efc781
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
---
drivers/soc/qcom/scm.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/soc/qcom/scm.c b/drivers/soc/qcom/scm.c
index 714c848..b4713ac 100644
--- a/drivers/soc/qcom/scm.c
+++ b/drivers/soc/qcom/scm.c
@@ -56,9 +56,16 @@ DEFINE_MUTEX(scm_lmh_lock);
#define SMC_ATOMIC_MASK 0x80000000
#define IS_CALL_AVAIL_CMD 1
-#define SCM_BUF_LEN(__cmd_size, __resp_size) \
- (sizeof(struct scm_command) + sizeof(struct scm_response) + \
- __cmd_size + __resp_size)
+#define SCM_BUF_LEN(__cmd_size, __resp_size) ({ \
+ size_t x = __cmd_size + __resp_size; \
+ size_t y = sizeof(struct scm_command) + sizeof(struct scm_response); \
+ size_t result; \
+ if (x < __cmd_size || (x + y) < x) \
+ result = 0; \
+ else \
+ result = x + y; \
+ result; \
+ })
/**
* struct scm_command - one SCM command buffer
* @len: total available memory for command and response
@@ -356,8 +363,7 @@ int scm_call_noalloc(u32 svc_id, u32 cmd_id, const void *cmd_buf,
int ret;
size_t len = SCM_BUF_LEN(cmd_len, resp_len);
- if (cmd_len > scm_buf_len || resp_len > scm_buf_len ||
- len > scm_buf_len)
+ if (len == 0)
return -EINVAL;
if (!IS_ALIGNED((unsigned long)scm_buf, PAGE_SIZE))
@@ -780,7 +786,7 @@ int scm_call(u32 svc_id, u32 cmd_id, const void *cmd_buf, size_t cmd_len,
int ret;
size_t len = SCM_BUF_LEN(cmd_len, resp_len);
- if (cmd_len > len || resp_len > len)
+ if (len == 0 || PAGE_ALIGN(len) < len)
return -EINVAL;
cmd = kzalloc(PAGE_ALIGN(len), GFP_KERNEL);
--
cgit v1.1