Commit fe7096ab authored Dec 13, 2019 by Todd Kjos Committed by Todd Kjos Dec 18, 2019

UPSTREAM: binder: fix incorrect calculation for num_valid



commit 16981742717b04644a41052570fb502682a315d2 upstream.

For BINDER_TYPE_PTR and BINDER_TYPE_FDA transactions, the
num_valid local was calculated incorrectly causing the
range check in binder_validate_ptr() to miss out-of-bounds
offsets.

Fixes: bde4a19fc04f ("binder: use userspace pointer as base of buffer space")
Change-Id: Ida77db13d8e5b726f0b14513f55c2b30277338cd
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191213202531.55010-1-tkjos@google.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 145988638
Signed-off-by: Todd Kjos <tkjos@google.com>

parent cb87cb11

drivers/android/binder.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -3428,7 +3428,7 @@ static void binder_transaction(struct binder_proc *proc,
		binder_size_t parent_offset;
		struct binder_fd_array_object *fda =
		to_binder_fd_array_object(hdr);
		size_t num_valid = (buffer_offset - off_start_offset) *
		size_t num_valid = (buffer_offset - off_start_offset) /
		sizeof(binder_size_t);
		struct binder_buffer_object *parent =
		binder_validate_ptr(target_proc, t->buffer,
		@@ -3502,7 +3502,7 @@ static void binder_transaction(struct binder_proc *proc,
		t->buffer->user_data + sg_buf_offset;
		sg_buf_offset += ALIGN(bp->length, sizeof(u64));

		num_valid = (buffer_offset - off_start_offset) *
		num_valid = (buffer_offset - off_start_offset) /
		sizeof(binder_size_t);
		ret = binder_fixup_parent(t, thread, bp,
		off_start_offset,