Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b14fd5b7 authored by Todd Kjos's avatar Todd Kjos Committed by Todd Kjos
Browse files

UPSTREAM: binder: check for overflow when alloc for security context 



commit 0b0509508beff65c1d50541861bc0d4973487dc5 upstream.

When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.

Bug: 130571081
Change-Id: I03fa4c879895fe4f768d880f87dce329423bfb9a
Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent be7c1cbd

drivers/android/binder.c

+11 −1
Original line number Diff line number Diff line
@@ -3231,6 +3231,7 @@ static void binder_transaction(struct binder_proc *proc, 


	if (target_node && target_node->txn_security_ctx) {

		u32 secid;

		size_t added_size;



		security_task_getsecid(proc->tsk, &secid);

		ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
@@ -3240,7 +3241,15 @@ static void binder_transaction(struct binder_proc *proc, 
			return_error_line = __LINE__;

			goto err_get_secctx_failed;

		}

		extra_buffers_size += ALIGN(secctx_sz, sizeof(u64));

		added_size = ALIGN(secctx_sz, sizeof(u64));

		extra_buffers_size += added_size;

		if (extra_buffers_size < added_size) {

			/* integer overflow of extra_buffers_size */

			return_error = BR_FAILED_REPLY;

			return_error_param = EINVAL;

			return_error_line = __LINE__;

			goto err_bad_extra_size;

		}

	}



	trace_binder_transaction(reply, t, target_node);
@@ -3589,6 +3598,7 @@ static void binder_transaction(struct binder_proc *proc, 
	t->buffer->transaction = NULL;

	binder_alloc_free_buf(&target_proc->alloc, t->buffer);

err_binder_alloc_buf_failed:

err_bad_extra_size:

	if (secctx)

		security_release_secctx(secctx, secctx_sz);

err_get_secctx_failed: