diff options
author | Todd Kjos <tkjos@android.com> | 2019-04-24 12:31:18 -0700 |
---|---|---|
committer | Todd Kjos <tkjos@google.com> | 2019-06-12 11:32:48 -0700 |
commit | 357d0ffb9430baca6c4ec2c09310a09f47b27320 (patch) | |
tree | 9e0d86773da6da9c1351e866dbfd8e9ea9d81b78 | |
parent | 1de5a484cfc3fff1b5631b76d59d5e5cd73bf7c1 (diff) |
UPSTREAM: binder: check for overflow when alloc for security contextASB-2019-09-05_4.14-p-releaseASB-2019-08-05_4.14-p-releaseASB-2019-07-05_4.14-p-release
commit 0b0509508beff65c1d50541861bc0d4973487dc5 upstream.
When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.
Bug: 130571081
Change-Id: Ibaec652d2073491cc426a4a24004a848348316bf
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/android/binder.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 7a49ff6b5778..7cf5d26c4526 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3128,6 +3128,7 @@ static void binder_transaction(struct binder_proc *proc, if (target_node && target_node->txn_security_ctx) { u32 secid; + size_t added_size; security_task_getsecid(proc->tsk, &secid); ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); @@ -3137,7 +3138,15 @@ static void binder_transaction(struct binder_proc *proc, return_error_line = __LINE__; goto err_get_secctx_failed; } - extra_buffers_size += ALIGN(secctx_sz, sizeof(u64)); + added_size = ALIGN(secctx_sz, sizeof(u64)); + extra_buffers_size += added_size; + if (extra_buffers_size < added_size) { + /* integer overflow of extra_buffers_size */ + return_error = BR_FAILED_REPLY; + return_error_param = EINVAL; + return_error_line = __LINE__; + goto err_bad_extra_size; + } } trace_binder_transaction(reply, t, target_node); @@ -3439,6 +3448,7 @@ err_copy_data_failed: t->buffer->transaction = NULL; binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: +err_bad_extra_size: if (secctx) security_release_secctx(secctx, secctx_sz); err_get_secctx_failed: |