From 3b1f22ab26a8e5c369b6e4df99808e2c0f5e3940 Mon Sep 17 00:00:00 2001 From: Arun Kumar Neelakantam Date: Wed, 27 Jan 2016 18:46:01 +0530 Subject: [PATCH] net: ipc_router: fix leak of kernel memory to userspace The service info structure is allocated with uninitialized memory for the max number of services and returns the complete structure to the usersapce resulting in the information leak if lookup operation finds less number of services than the requested number. Check the minimum of requested and available services and copy the minimum information to the user-space. CRs-Fixed: 965934 Change-Id: Ic97f875855fdc6440c1db1d8d0338ee8b03a9d0a Signed-off-by: Arun Kumar Neelakantam --- net/ipc_router/ipc_router_socket.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/net/ipc_router/ipc_router_socket.c b/net/ipc_router/ipc_router_socket.c index a4e7575d5ad3..a4145ba5808a 100644 --- a/net/ipc_router/ipc_router_socket.c +++ b/net/ipc_router/ipc_router_socket.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved. +/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -494,13 +494,18 @@ static int msm_ipc_router_ioctl(struct socket *sock, ret = copy_to_user((void *)arg, &server_arg, sizeof(server_arg)); - if (srv_info_sz) { + + n = min(server_arg.num_entries_found, + server_arg.num_entries_in_array); + + if (ret == 0 && n) { ret = copy_to_user((void *)(arg + sizeof(server_arg)), - srv_info, srv_info_sz); - if (ret) - ret = -EFAULT; - kfree(srv_info); + srv_info, n * sizeof(*srv_info)); } + + if (ret) + ret = -EFAULT; + kfree(srv_info); break; case IPC_ROUTER_IOCTL_BIND_CONTROL_PORT: