msm: ipa: Fix to validate the buffer size

Adding code changes to validate buffer size. While calling ipa_read verifying the kernel buffer size in range or not. Change-Id: Idc608c2cf0587a00f19ece38a4eb646f7fde68e3 Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org> CVE-2019-2333 Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
2019-01-17 15:36:31 +05:30 · 2019-01-17 15:36:31 +05:30 · 66c27b00ee
parent b7745a1a03
commit 66c27b00ee
1 changed files with 17 additions and 4 deletions
--- a/drivers/platform/msm/ipa/ipa_intf.c
+++ b/drivers/platform/msm/ipa/ipa_intf.c
@ -1,4 +1,4 @@
-/* Copyright (c) 2013, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 and
@ -440,8 +440,14 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count,
 		if (msg) {
 			locked = 0;
 			mutex_unlock(&ipa_ctx->msg_lock);
+			if (count < sizeof(struct ipa_msg_meta)) {
+				kfree(msg);
+				msg = NULL;
+				ret = -EFAULT;
+				break;
+			}
 			if (copy_to_user(buf, &msg->meta,
-					  sizeof(struct ipa_msg_meta))) {
+					sizeof(struct ipa_msg_meta))) {
 				kfree(msg);
 				msg = NULL;
 				ret = -EFAULT;
@ -450,8 +456,15 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count,
 			buf += sizeof(struct ipa_msg_meta);
 			count -= sizeof(struct ipa_msg_meta);
 			if (msg->buff) {
-				if (copy_to_user(buf, msg->buff,
-						  msg->meta.msg_len)) {
+				if (count >= msg->meta.msg_len) {
+					if (copy_to_user(buf, msg->buff,
+							msg->meta.msg_len)) {
+						kfree(msg);
+						msg = NULL;
+						ret = -EFAULT;
+						break;
+					}
+				} else {
 					kfree(msg);
 					msg = NULL;
 					ret = -EFAULT;