DivestOS/Patches/Linux_CVEs/CVE-2017-0462/4.4/0002.patch

From 9a71e9a686942ae3c491061ab275a3678ee2819a Mon Sep 17 00:00:00 2001
From: ahmedsh <ahmedsh@codeaurora.org>
Date: Mon, 9 Jan 2017 17:24:09 -0500
Subject: seemp: use local stack mem when encoding params

Avoid race condition in driver when encoding param by
reading contents from a local copy instead of msg buffer
itself which can be mapped to user space.

Change-Id: I405ca6c7fcb0afa112e0851907b5dca805ac5411
Signed-off-by: Ahmed Sheikh <ahmedsh@codeaurora.org>
---
 .../platform/msm/seemp_core/seemp_event_encoder.c   | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/drivers/platform/msm/seemp_core/seemp_event_encoder.c b/drivers/platform/msm/seemp_core/seemp_event_encoder.c
index df56a84..36901f5 100644
--- a/drivers/platform/msm/seemp_core/seemp_event_encoder.c
+++ b/drivers/platform/msm/seemp_core/seemp_event_encoder.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2015, 2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -48,9 +48,15 @@ static void check_param_range(char *section_eq, bool param,
 
 void encode_seemp_params(struct seemp_logk_blk *blk)
 {
-	char *s = blk->payload.msg + 1;
+	struct seemp_logk_blk tmp;
+	char *s = 0;
+	char *msg_section_start = 0;
+	char *msg_section_eq = 0;
+	char *msg_s = 0;
 
-	blk->payload.msg[BLK_MAX_MSG_SZ - 1] = 0; /* zero-terminate */
+	memcpy(tmp.payload.msg, blk->payload.msg, BLK_MAX_MSG_SZ);
+	s = tmp.payload.msg + 1;
+	tmp.payload.msg[BLK_MAX_MSG_SZ - 1] = 0; /* zero-terminate */
 
 	while (true) {
 		char *section_start = s;
@@ -105,8 +111,13 @@ void encode_seemp_params(struct seemp_logk_blk *blk)
 			}
 		}
 
-		encode_seemp_section(section_start, section_eq, s, param,
-					numeric, id, numeric_value);
+		msg_section_start = blk->payload.msg + (section_start -
+				tmp.payload.msg);
+		msg_section_eq = blk->payload.msg + (section_eq -
+				tmp.payload.msg);
+		msg_s = blk->payload.msg + (s - tmp.payload.msg);
+		encode_seemp_section(msg_section_start, msg_section_eq,
+				msg_s, param, numeric, id, numeric_value);
 
 		if (*s == 0)
 			break;
-- 
cgit v1.1