Google Git
Sign in
android / kernel / msm / android-msm-sawshark-3.18-o-wear-preview-4
commit2e9efae734f949194a616bc9a08c71b2cd188997[log] [tgz]
authorDaniel Rosenberg <drosen@google.com>Wed Nov 02 17:43:51 2016 -0700
committerBen Fennema <fennema@google.com>Fri Aug 25 14:33:06 2017 -0700
tree3ebcb75605f846336acf14b0e038209624a03fa6
parent0682eaefc21999ef7ba37bd96e9323879e55d9be [diff]
ion: Fix use after free during ION_IOC_ALLOC

If a user happens to call ION_IOC_FREE during an
ION_IOC_ALLOC on the just allocated id, and the
copy_to_user fails, the cleanup code will attempt
to free an already freed handle.

This adds a wrapper for ion_alloc that adds an
ion_handle_get to avoid this.

Bug: 31568617
Bug: 32987001
Change-Id: I476e5bd5372b5178a213f1fea143d270cf9361ed
Signed-off-by: Daniel Rosenberg <drosen@google.com>
1 file changed
tree: 3ebcb75605f846336acf14b0e038209624a03fa6
  1. android/
  2. arch/
  3. block/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. linaro/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .gitignore
  25. .mailmap
  26. AndroidKernel.mk
  27. build.config
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS