Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity

msm: ipc_socket: fix leak of kernel memory to userspace

Browse source 
Limit the size of copy to the minimum of what was asked
for or the number of results returned to prevent leaking of
uninitialized kernel memory to userspace.

Bug: 24157888

Signed-off-by: Patrick Tjin <pattjin@google.com>
Change-Id: I7433135ea3345905c053a81d0d759619b46c1430
This commit is contained in:
Patrick Tjin 2015-10-13 08:06:00 -07:00
parent bd8d871a8f
commit 4b3d11e76b
1 changed files with 10 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
arch/arm/mach-msm/ipc_socket.c
View file

@ -414,16 +414,20 @@ static int msm_ipc_router_ioctl(struct socket *sock,
break; break;
} }
server_arg.num_entries_found = ret; server_arg.num_entries_found = ret;
ret = copy_to_user((void *)arg, &server_arg, ret = copy_to_user((void *)arg, &server_arg,
sizeof(server_arg)); sizeof(server_arg));
if (srv_info_sz) {
n = min(server_arg.num_entries_found,
server_arg.num_entries_in_array);
if (ret == 0 && n) {
ret = copy_to_user((void *)(arg + sizeof(server_arg)), ret = copy_to_user((void *)(arg + sizeof(server_arg)),
srv_info, srv_info_sz); srv_info, n * sizeof (*srv_info));
if (ret)
ret = -EFAULT;
kfree(srv_info);
} }
if (ret)
ret = -EFAULT;
kfree(srv_info);
break; break;
case IPC_ROUTER_IOCTL_BIND_CONTROL_PORT: case IPC_ROUTER_IOCTL_BIND_CONTROL_PORT: