Google Git
Sign in
android / kernel / google-modules / lwis / refs/heads/android-gs-raviole-5.10-android12-qpr3^! / .
commitd1a9fe0c011d4fe814ed7e7e10ccc56e5f4d1696[log] [tgz]
authorNick Chung <nickchung@google.com>Wed Mar 23 15:13:12 2022 +0800
committerNick Chung <nickchung@google.com>Tue Mar 29 00:14:05 2022 +0000
tree500fbc53ef740d9ee13fdc77a338fa6c99c1a316
parent568fbb3d420b2bfc2adca01a28ad2bea9366e5f1 [diff]
Ioctl: add error handling for integer overflow

Fixed ioctl_dpm_qos_update, ioctl_dpm_clk_update
and ioctl_event_control_set, there is a possible
out of bounds write due to an integer overflow.

Bug: 224932775
Test: GCA, test_poc, CTS
Signed-off-by: Nick Chung <nickchung@google.com>
Change-Id: I8beca1421efc9646f050b6c27ebfdc1a30f0a2c4
(cherry picked from commit 7b919ead431ae0aa8bf83752eca0977e00c6b59a)

diff --git a/lwis_ioctl.c b/lwis_ioctl.c
index 8033da6..198c9eb 100644
--- a/lwis_ioctl.c
+++ b/lwis_ioctl.c

@@ -299,7 +299,7 @@
 	buf_size = sizeof(struct lwis_io_entry) * k_msg->num_io_entries;
 	if (buf_size / sizeof(struct lwis_io_entry) != k_msg->num_io_entries) {
 		dev_err(lwis_dev->dev, "Failed to copy io_entries due to integer overflow.\n");
-		return -EINVAL;
+		return -EOVERFLOW;
 	}
 	io_entries = kvmalloc(buf_size, GFP_KERNEL);
 	if (!io_entries) {
@@ -759,6 +759,10 @@
 
 	/*  Copy event controls from user buffer. */
 	buf_size = sizeof(struct lwis_event_control) * k_msg.num_event_controls;
+	if (buf_size / sizeof(struct lwis_event_control) != k_msg.num_event_controls) {
+		dev_err(lwis_dev->dev, "Failed to copy event controls due to integer overflow.\n");
+		return -EOVERFLOW;
+	}
 	k_event_controls = kmalloc(buf_size, GFP_KERNEL);
 	if (!k_event_controls) {
 		dev_err(lwis_dev->dev, "Failed to allocate event controls\n");
@@ -1256,6 +1260,10 @@
 	}
 
 	buf_size = sizeof(struct lwis_clk_setting) * k_msg.num_settings;
+	if (buf_size / sizeof(struct lwis_clk_setting) != k_msg.num_settings) {
+		dev_err(lwis_dev->dev, "Failed to copy clk settings due to integer overflow.\n");
+		return -EOVERFLOW;
+	}
 	clk_settings = kmalloc(buf_size, GFP_KERNEL);
 	if (!clk_settings) {
 		dev_err(lwis_dev->dev, "Failed to allocate clock settings\n");
@@ -1293,6 +1301,10 @@
 
 	// Copy qos settings from user buffer.
 	buf_size = sizeof(struct lwis_qos_setting) * k_msg.num_settings;
+	if (buf_size / sizeof(struct lwis_qos_setting) != k_msg.num_settings) {
+		dev_err(lwis_dev->dev, "Failed to copy qos settings due to integer overflow.\n");
+		return -EOVERFLOW;
+	}
 	k_qos_settings = kmalloc(buf_size, GFP_KERNEL);
 	if (!k_qos_settings) {
 		dev_err(lwis_dev->dev, "Failed to allocate qos settings\n");