Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 221fd753dd002222b595f8af0e289fff0c9cf5a8

Authored by Kevin McKinney
Committed by Greg Kroah-Hartman
1 parent b72a7c859e
Exists in master and in 6 other branches imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-l5.0.0_1.0.0-ga

Staging: bcm: Fix an invalid dereference to a kmalloc in IOCTL_BCM_BULK_WRM 

Variable IoBuffer.InputLength is chosen from userspace,
and can therefore be less than the intended size. In this
case,the memory from the kmalloc call is eventually cast
to a PBULKWRM_BUFFER. If the IoBuffer.InputLength does not
meet the minimum size of PBULKWRM_BUFFER, then we will get
a kernel Oops. To resolve this issue, this patch verifies
IoBuffer.InputLength meets the minimum size before invoking
the kmalloc call.

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Showing 1 changed file with 3 additions and 1 deletions Side-by-side Diff

drivers/staging/bcm/Bcmchar.c
Diff comments   View file @ 221fd75
... ... @@ -1137,7 +1137,9 @@
1137 1137 if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
1138 1138 return -EFAULT;
1139 1139  
1140   - /* FIXME: restrict length */
  1140 + if (IoBuffer.InputLength < sizeof(ULONG) * 2)
  1141 + return -EINVAL;
  1142 +
1141 1143 pvBuffer = kmalloc(IoBuffer.InputLength, GFP_KERNEL);
1142 1144 if (!pvBuffer)
1143 1145 return -ENOMEM;