msm: ipc: Add check to avoid integer & buffer overflow
In IPC Router configure security rule operation, add check to avoid
integer overflow and hence a buffer overflow.
CRs-Fixed: 457405
Change-Id: I5448e14242be764a7b7adfe650b2c9124701c2c5
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
diff --git a/arch/arm/mach-msm/msm_ipc_router_security.c b/arch/arm/mach-msm/msm_ipc_router_security.c
index 756e24e..69efd13 100644
--- a/arch/arm/mach-msm/msm_ipc_router_security.c
+++ b/arch/arm/mach-msm/msm_ipc_router_security.c
@@ -37,7 +37,7 @@
uint32_t instance_id;
unsigned reserved;
int num_group_info;
- int *group_id;
+ gid_t *group_id;
};
static DEFINE_MUTEX(security_rules_lock);
@@ -98,6 +98,7 @@
struct config_sec_rules_args sec_rules_arg;
struct security_rule *rule, *temp_rule;
int key;
+ int group_info_sz;
int ret;
if (current_euid())
@@ -111,14 +112,20 @@
if (sec_rules_arg.num_group_info <= 0)
return -EINVAL;
+ group_info_sz = sec_rules_arg.num_group_info * sizeof(gid_t);
+ if ((group_info_sz / sizeof(gid_t)) != sec_rules_arg.num_group_info) {
+ pr_err("%s: Integer Overflow %d * %d\n", __func__,
+ sizeof(gid_t), sec_rules_arg.num_group_info);
+ return -EINVAL;
+ }
+
rule = kzalloc(sizeof(struct security_rule), GFP_KERNEL);
if (!rule) {
pr_err("%s: security_rule alloc failed\n", __func__);
return -ENOMEM;
}
- rule->group_id = kzalloc((sec_rules_arg.num_group_info * sizeof(int)),
- GFP_KERNEL);
+ rule->group_id = kzalloc(group_info_sz, GFP_KERNEL);
if (!rule->group_id) {
pr_err("%s: group_id alloc failed\n", __func__);
kfree(rule);
@@ -131,7 +138,7 @@
rule->num_group_info = sec_rules_arg.num_group_info;
ret = copy_from_user(rule->group_id,
((void *)(arg + sizeof(sec_rules_arg))),
- (rule->num_group_info * sizeof(uint32_t)));
+ group_info_sz);
if (ret) {
kfree(rule->group_id);
kfree(rule);