leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity

platform/chrome: fix memory corruption in ioctl

Browse Source 
If "s_mem.bytes" is larger than the buffer size it leads to memory
corruption.

Fixes: eda2e30c66 ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/Yv8dpCFZJdbUT5ye@kili
This commit is contained in:
Dan Carpenter 2022-08-19 08:20:36 +03:00 committed by Tzung-Bi Shih
parent 6ad4194d6a
commit 8a07b45fd3
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
drivers/platform/chrome/cros_ec_chardev.c
View File

@ -327,6 +327,9 @@ static long cros_ec_chardev_ioctl_readmem(struct cros_ec_dev *ec,
if (copy_from_user(&s_mem, arg, sizeof(s_mem)))
return -EFAULT;
if (s_mem.bytes > sizeof(s_mem.buffer))
return -EINVAL;
num = ec_dev->cmd_readmem(ec_dev, s_mem.offset, s_mem.bytes,
s_mem.buffer);
if (num <= 0)