Ioctl: add error handling for integer overflow
Fixed ioctl_dpm_qos_update, ioctl_dpm_clk_update
and ioctl_event_control_set, there is a possible
out of bounds write due to an integer overflow.
Bug: 224932775
Test: GCA, test_poc, CTS
Signed-off-by: Nick Chung <nickchung@google.com>
Change-Id: I8beca1421efc9646f050b6c27ebfdc1a30f0a2c4
(cherry picked from commit 7b919ead431ae0aa8bf83752eca0977e00c6b59a)
diff --git a/lwis_ioctl.c b/lwis_ioctl.c
index 8033da6..198c9eb 100644
--- a/lwis_ioctl.c
+++ b/lwis_ioctl.c
@@ -299,7 +299,7 @@
buf_size = sizeof(struct lwis_io_entry) * k_msg->num_io_entries;
if (buf_size / sizeof(struct lwis_io_entry) != k_msg->num_io_entries) {
dev_err(lwis_dev->dev, "Failed to copy io_entries due to integer overflow.\n");
- return -EINVAL;
+ return -EOVERFLOW;
}
io_entries = kvmalloc(buf_size, GFP_KERNEL);
if (!io_entries) {
@@ -759,6 +759,10 @@
/* Copy event controls from user buffer. */
buf_size = sizeof(struct lwis_event_control) * k_msg.num_event_controls;
+ if (buf_size / sizeof(struct lwis_event_control) != k_msg.num_event_controls) {
+ dev_err(lwis_dev->dev, "Failed to copy event controls due to integer overflow.\n");
+ return -EOVERFLOW;
+ }
k_event_controls = kmalloc(buf_size, GFP_KERNEL);
if (!k_event_controls) {
dev_err(lwis_dev->dev, "Failed to allocate event controls\n");
@@ -1256,6 +1260,10 @@
}
buf_size = sizeof(struct lwis_clk_setting) * k_msg.num_settings;
+ if (buf_size / sizeof(struct lwis_clk_setting) != k_msg.num_settings) {
+ dev_err(lwis_dev->dev, "Failed to copy clk settings due to integer overflow.\n");
+ return -EOVERFLOW;
+ }
clk_settings = kmalloc(buf_size, GFP_KERNEL);
if (!clk_settings) {
dev_err(lwis_dev->dev, "Failed to allocate clock settings\n");
@@ -1293,6 +1301,10 @@
// Copy qos settings from user buffer.
buf_size = sizeof(struct lwis_qos_setting) * k_msg.num_settings;
+ if (buf_size / sizeof(struct lwis_qos_setting) != k_msg.num_settings) {
+ dev_err(lwis_dev->dev, "Failed to copy qos settings due to integer overflow.\n");
+ return -EOVERFLOW;
+ }
k_qos_settings = kmalloc(buf_size, GFP_KERNEL);
if (!k_qos_settings) {
dev_err(lwis_dev->dev, "Failed to allocate qos settings\n");