xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

platform/chrome: cros_ec_dev - Fix security issue

Browse Source 
Prevent memory scribble by checking that ioctl buffer size parameters
are sane.
Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and
.outsize the amount to scribble, we would overflow, allocate a small
amounts and be able to write outside of the malloc'ed area.
Adding a hard limit allows argument checking of the ioctl. With the
current EC, it is expected .insize and .outsize to be at around 512 bytes
or less.

Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
This commit is contained in:
Gwendal Grignou
2016-03-08 09:13:52 -08:00
committed by Olof Johansson
parent 492ef7829d
commit 5d749d0bbe
3 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
include/linux/mfd/cros_ec.h
View File

@@ -50,9 +50,11 @@ enum {
EC_MSG_TX_TRAILER_BYTES,
EC_MSG_RX_PROTO_BYTES = 3,
/* Max length of messages */
EC_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE +
/* Max length of messages for proto 2*/
EC_PROTO2_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE +
EC_MSG_TX_PROTO_BYTES,
EC_MAX_MSG_BYTES = 64 * 1024,
};
/*