projects / GitHub / LineageOS / android_kernel_samsung_universal7580.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 65f76e0)
UPSTREAM: binder: check for overflow when alloc for security context
authorTodd Kjos <tkjos@android.com>
Wed, 24 Apr 2019 19:31:18 +0000 (12:31 -0700)
committerDanny Wood <danwood76@gmail.com>
Fri, 8 Nov 2019 12:03:13 +0000 (12:03 +0000)
commit 0b0509508beff65c1d50541861bc0d4973487dc5 upstream.

When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.

Bug: 130571081
Change-Id: Ibaec652d2073491cc426a4a24004a848348316bf
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/android/binder.c patch | blob | blame | history

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 2afba981c74681ec7104e6e8119c09bcfc53911a..235c4e11e01fe69438d3e90e8c7ec5d65f179737 100644 (file)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3135,6 +3135,7 @@ static void binder_transaction(struct binder_proc *proc,
 
        if (target_node && target_node->txn_security_ctx) {
                u32 secid;
+               size_t added_size;
 
                security_task_getsecid(proc->tsk, &secid);
                ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
@@ -3144,7 +3145,15 @@ static void binder_transaction(struct binder_proc *proc,
                        return_error_line = __LINE__;
                        goto err_get_secctx_failed;
                }
-               extra_buffers_size += ALIGN(secctx_sz, sizeof(u64));
+               added_size = ALIGN(secctx_sz, sizeof(u64));
+               extra_buffers_size += added_size;
+               if (extra_buffers_size < added_size) {
+                       /* integer overflow of extra_buffers_size */
+                       return_error = BR_FAILED_REPLY;
+                       return_error_param = EINVAL;
+                       return_error_line = __LINE__;
+                       goto err_bad_extra_size;
+               }
        }
 
        trace_binder_transaction(reply, t, target_node);
@@ -3446,6 +3455,7 @@ err_copy_data_failed:
        t->buffer->transaction = NULL;
        binder_alloc_free_buf(&target_proc->alloc, t->buffer);
 err_binder_alloc_buf_failed:
+err_bad_extra_size:
        if (secctx)
                security_release_secctx(secctx, secctx_sz);
 err_get_secctx_failed: