diff options
| author | Gwendal Grignou | 2016-03-08 18:13:52 +0100 |
|---|---|---|
| committer | Olof Johansson | 2016-05-11 20:55:47 +0200 |
| commit | 5d749d0bbe811c10d9048cde6dfebc761713abfd (patch) | |
| tree | 7f8497b6fa3125c0f7256dab097a73fbdc34bc58 /drivers/platform/chrome/cros_ec_dev.c | |
| parent | platform/chrome: Add Chrome OS keyboard backlight LEDs support (diff) | |
| download | kernel-qcow2-linux-5d749d0bbe811c10d9048cde6dfebc761713abfd.tar.gz kernel-qcow2-linux-5d749d0bbe811c10d9048cde6dfebc761713abfd.tar.xz kernel-qcow2-linux-5d749d0bbe811c10d9048cde6dfebc761713abfd.zip | |
platform/chrome: cros_ec_dev - Fix security issue
Prevent memory scribble by checking that ioctl buffer size parameters
are sane.
Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and
.outsize the amount to scribble, we would overflow, allocate a small
amounts and be able to write outside of the malloc'ed area.
Adding a hard limit allows argument checking of the ioctl. With the
current EC, it is expected .insize and .outsize to be at around 512 bytes
or less.
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Diffstat (limited to 'drivers/platform/chrome/cros_ec_dev.c')
| -rw-r--r-- | drivers/platform/chrome/cros_ec_dev.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/platform/chrome/cros_ec_dev.c b/drivers/platform/chrome/cros_ec_dev.c index d45cd254ed1c..187470c8a1f6 100644 --- a/drivers/platform/chrome/cros_ec_dev.c +++ b/drivers/platform/chrome/cros_ec_dev.c @@ -137,6 +137,10 @@ static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg) if (copy_from_user(&u_cmd, arg, sizeof(u_cmd))) return -EFAULT; + if ((u_cmd.outsize > EC_MAX_MSG_BYTES) || + (u_cmd.insize > EC_MAX_MSG_BYTES)) + return -EINVAL; + s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize), GFP_KERNEL); if (!s_cmd) |