Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d9e397cf authored by Swetha Chikkaboraiah's avatar Swetha Chikkaboraiah Committed by Gerrit - the friendly Code Review server
Browse files

ion: Fix integer overflow in msm_ion_custom_ioctl 



While handling some of custom commands vaddr and offset
are controlled from userspace. Handle the case where
start address can become 0 and leading to unintentional
operations.

Fixes: ff8868e4 ("ion: ensure valid start address")
Change-Id: I995c7f0ae76910fa136ed95aaf4ac254d09885bd
Signed-off-by: default avatarSwetha Chikkaboraiah <schikk@codeaurora.org>
parent 5b31de59

drivers/staging/android/ion/msm/msm_ion.c

+21 −10
Original line number Diff line number Diff line
@@ -637,6 +637,9 @@ static int check_vaddr_bounds(unsigned long start, unsigned long end) 
	struct vm_area_struct *vma;

	int ret = 1;



	if (!start)

		goto out;



	if (end < start)

		goto out;
@@ -834,11 +837,17 @@ long msm_ion_custom_ioctl(struct ion_client *client, 


		down_read(&mm->mmap_sem);



		if ((unsigned long)data.flush_data.vaddr >

				(ULONG_MAX - data.flush_data.offset)) {

			pr_err("%s: Integer overflow detected for %pK\n",

			       __func__, data.flush_data.vaddr);

			ret = -EINVAL;

		} else {

			start = (unsigned long)data.flush_data.vaddr +

				data.flush_data.offset;

			end = start + data.flush_data.length;



		if (start && check_vaddr_bounds(start, end)) {

			if (check_vaddr_bounds(start, end)) {

				pr_err("%s: virtual address %pK is out of bounds\n",

				       __func__, data.flush_data.vaddr);

				ret = -EINVAL;
@@ -848,6 +857,8 @@ long msm_ion_custom_ioctl(struct ion_client *client, 
					data.flush_data.offset,

					data.flush_data.length, cmd);

			}

		}



		up_read(&mm->mmap_sem);



		ion_free_nolock(client, handle);