From c1a289854bf0406890f4f80911c88acf4d4f2bb1 Mon Sep 17 00:00:00 2001
From: Todd Kjos <tkjos@google.com>
Date: Tue, 19 Mar 2019 09:53:01 -0700
Subject: [PATCH] FROMGIT: binder: fix BUG_ON found by selinux-testsuite

The selinux-testsuite found an issue resulting in a BUG_ON()
where a conditional relied on a size_t going negative when
checking the validity of a buffer offset.

(cherry picked from commit 5997da82145bb7c9a56d834894cb81f81f219344
 git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
 char-misc-linus)
Bug: 67668716
Bug: 129336614
Change-Id: Ib3b408717141deadddcb6b95ad98c0b97d9d98ea
Fixes: 7a67a39320df ("binder: add function to copy binder object from buffer")
Reported-by: Paul Moore <paul@paul-moore.com>
Tested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
---
 drivers/android/binder.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 94e2872cff03..36ad7483424c 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2239,7 +2239,8 @@ static size_t binder_get_object(struct binder_proc *proc,
 	size_t object_size = 0;
 
 	read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
-	if (read_size < sizeof(*hdr) || !IS_ALIGNED(offset, sizeof(u32)))
+	if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
+	    !IS_ALIGNED(offset, sizeof(u32)))
 		return 0;
 	binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
 				      offset, read_size);
-- 
2.20.1