From 4b3d11e76bd6470582ce306808d45869ede0de9b Mon Sep 17 00:00:00 2001 From: Patrick Tjin Date: Tue, 13 Oct 2015 08:06:00 -0700 Subject: [PATCH] msm: ipc_socket: fix leak of kernel memory to userspace Limit the size of copy to the minimum of what was asked for or the number of results returned to prevent leaking of uninitialized kernel memory to userspace. Bug: 24157888 Signed-off-by: Patrick Tjin Change-Id: I7433135ea3345905c053a81d0d759619b46c1430 --- arch/arm/mach-msm/ipc_socket.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/arch/arm/mach-msm/ipc_socket.c b/arch/arm/mach-msm/ipc_socket.c index 839fa4782575..3fcbe2748e44 100644 --- a/arch/arm/mach-msm/ipc_socket.c +++ b/arch/arm/mach-msm/ipc_socket.c @@ -414,16 +414,20 @@ static int msm_ipc_router_ioctl(struct socket *sock, break; } server_arg.num_entries_found = ret; - ret = copy_to_user((void *)arg, &server_arg, sizeof(server_arg)); - if (srv_info_sz) { + + n = min(server_arg.num_entries_found, + server_arg.num_entries_in_array); + + if (ret == 0 && n) { ret = copy_to_user((void *)(arg + sizeof(server_arg)), - srv_info, srv_info_sz); - if (ret) - ret = -EFAULT; - kfree(srv_info); + srv_info, n * sizeof (*srv_info)); } + + if (ret) + ret = -EFAULT; + kfree(srv_info); break; case IPC_ROUTER_IOCTL_BIND_CONTROL_PORT: