DivestOS/Patches/Linux_CVEs/CVE-2017-10997/4.4/0002.patch

From a395a070880acc679e3832b21d96504edbbe4af2 Mon Sep 17 00:00:00 2001
From: Tony Truong <truong@codeaurora.org>
Date: Fri, 6 Jan 2017 14:03:03 -0800
Subject: msm: pcie: add bounds check for debugfs register write

Via debugfs nodes, users have the option to read and write to
any PCIe register. To ensure clients do not access registers
outside the PCIe range, add checks to validate the offset clients
provide.

Change-Id: Ia35cd04c57f01c21a47962be596bca395b5ca247
Signed-off-by: Tony Truong <truong@codeaurora.org>
---
 drivers/pci/host/pci-msm.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/pci/host/pci-msm.c b/drivers/pci/host/pci-msm.c
index 7c8b5e3..cd105a0 100644
--- a/drivers/pci/host/pci-msm.c
+++ b/drivers/pci/host/pci-msm.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -2414,8 +2414,16 @@ static void msm_pcie_sel_debug_testcase(struct msm_pcie_dev_t *dev,
 			dev->res[base_sel - 1].base,
 			wr_offset, wr_mask, wr_value);
 
-		msm_pcie_write_reg_field(dev->res[base_sel - 1].base,
-			wr_offset, wr_mask, wr_value);
+		base_sel_size = resource_size(dev->res[base_sel - 1].resource);
+
+		if (wr_offset >  base_sel_size - 4 ||
+			msm_pcie_check_align(dev, wr_offset))
+			PCIE_DBG_FS(dev,
+				"PCIe: RC%d: Invalid wr_offset: 0x%x. wr_offset should be no more than 0x%x\n",
+				dev->rc_idx, wr_offset, base_sel_size - 4);
+		else
+			msm_pcie_write_reg_field(dev->res[base_sel - 1].base,
+				wr_offset, wr_mask, wr_value);
 
 		break;
 	case 13: /* dump all registers of base_sel */
-- 
cgit v1.1