forked from Minki/linux
binder: check for overflow when alloc for security context
When allocating space in the target buffer for the security context, make sure the extra_buffers_size doesn't overflow. This can only happen if the given size is invalid, but an overflow can turn it into a valid size. Fail the transaction if an overflow is detected. Signed-off-by: Todd Kjos <tkjos@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
d2f4a83fe3
commit
0b0509508b
@ -3121,6 +3121,7 @@ static void binder_transaction(struct binder_proc *proc,
|
|||||||
|
|
||||||
if (target_node && target_node->txn_security_ctx) {
|
if (target_node && target_node->txn_security_ctx) {
|
||||||
u32 secid;
|
u32 secid;
|
||||||
|
size_t added_size;
|
||||||
|
|
||||||
security_task_getsecid(proc->tsk, &secid);
|
security_task_getsecid(proc->tsk, &secid);
|
||||||
ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
|
ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
|
||||||
@ -3130,7 +3131,15 @@ static void binder_transaction(struct binder_proc *proc,
|
|||||||
return_error_line = __LINE__;
|
return_error_line = __LINE__;
|
||||||
goto err_get_secctx_failed;
|
goto err_get_secctx_failed;
|
||||||
}
|
}
|
||||||
extra_buffers_size += ALIGN(secctx_sz, sizeof(u64));
|
added_size = ALIGN(secctx_sz, sizeof(u64));
|
||||||
|
extra_buffers_size += added_size;
|
||||||
|
if (extra_buffers_size < added_size) {
|
||||||
|
/* integer overflow of extra_buffers_size */
|
||||||
|
return_error = BR_FAILED_REPLY;
|
||||||
|
return_error_param = EINVAL;
|
||||||
|
return_error_line = __LINE__;
|
||||||
|
goto err_bad_extra_size;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
trace_binder_transaction(reply, t, target_node);
|
trace_binder_transaction(reply, t, target_node);
|
||||||
@ -3480,6 +3489,7 @@ err_copy_data_failed:
|
|||||||
t->buffer->transaction = NULL;
|
t->buffer->transaction = NULL;
|
||||||
binder_alloc_free_buf(&target_proc->alloc, t->buffer);
|
binder_alloc_free_buf(&target_proc->alloc, t->buffer);
|
||||||
err_binder_alloc_buf_failed:
|
err_binder_alloc_buf_failed:
|
||||||
|
err_bad_extra_size:
|
||||||
if (secctx)
|
if (secctx)
|
||||||
security_release_secctx(secctx, secctx_sz);
|
security_release_secctx(secctx, secctx_sz);
|
||||||
err_get_secctx_failed:
|
err_get_secctx_failed:
|
||||||
|
Loading…
Reference in New Issue
Block a user