Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9db3628e authored by Ravi Gummadidala's avatar Ravi Gummadidala
Browse files

msm: ipa: fix potential heap overflow in intf property queries 



Number of TX/RX/EXT properties to be read is supplied by
user-space and if these values are maliciously set too large,
heap overflow and memory corruption can result. This commit
caps the max allowed interface properties.

Change-Id: I9f5bf8b5e9a1b3b47b0741c0b00d5fafc77b28e2
Signed-off-by: default avatarRavi Gummadidala <rgummadi@codeaurora.org>
parent 7a934747

drivers/platform/msm/ipa/ipa.c

+21 −0
Original line number Diff line number Diff line
@@ -506,6 +506,13 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}



		if (((struct ipa_ioc_query_intf_tx_props *)header)->num_tx_props

				> IPA_NUM_PROPS_MAX) {

			retval = -EFAULT;

			break;

		}



		pyld_sz = sz + ((struct ipa_ioc_query_intf_tx_props *)

				header)->num_tx_props *

			sizeof(struct ipa_ioc_tx_intf_prop);
@@ -534,6 +541,13 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}



		if (((struct ipa_ioc_query_intf_rx_props *)header)->num_rx_props

				> IPA_NUM_PROPS_MAX) {

			retval = -EFAULT;

			break;

		}



		pyld_sz = sz + ((struct ipa_ioc_query_intf_rx_props *)

				header)->num_rx_props *

			sizeof(struct ipa_ioc_rx_intf_prop);
@@ -562,6 +576,13 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 
			retval = -EFAULT;

			break;

		}



		if (((struct ipa_ioc_query_intf_ext_props *)

				header)->num_ext_props > IPA_NUM_PROPS_MAX) {

			retval = -EFAULT;

			break;

		}



		pyld_sz = sz + ((struct ipa_ioc_query_intf_ext_props *)

				header)->num_ext_props *

			sizeof(struct ipa_ioc_ext_intf_prop);

drivers/platform/msm/ipa/ipa_intf.c

+18 −0
Original line number Diff line number Diff line
@@ -87,6 +87,24 @@ int ipa_register_intf_ext(const char *name, const struct ipa_tx_intf *tx, 
		return -EINVAL;

	}



	if (tx && tx->num_props > IPA_NUM_PROPS_MAX) {

		IPAERR("invalid tx num_props=%d max=%d\n", tx->num_props,

				IPA_NUM_PROPS_MAX);

		return -EINVAL;

	}



	if (rx && rx->num_props > IPA_NUM_PROPS_MAX) {

		IPAERR("invalid rx num_props=%d max=%d\n", rx->num_props,

				IPA_NUM_PROPS_MAX);

		return -EINVAL;

	}



	if (ext && ext->num_props > IPA_NUM_PROPS_MAX) {

		IPAERR("invalid ext num_props=%d max=%d\n", ext->num_props,

				IPA_NUM_PROPS_MAX);

		return -EINVAL;

	}



	len = sizeof(struct ipa_intf);

	intf = kzalloc(len, GFP_KERNEL);

	if (intf == NULL) {

include/uapi/linux/msm_ipa.h

+5 −0
Original line number Diff line number Diff line
@@ -67,6 +67,11 @@ 
 */

#define IPA_RESOURCE_NAME_MAX 20



/**

 * max number of interface properties

 */

#define IPA_NUM_PROPS_MAX 20



/**

 * size of the mac address

 */