amcs: fix stack buffer OOB write vulnerabilityandroid-s-v2-beta-3_r0.6 android-12.1.0_r0.6 android-12.1.0_r0.22 android-12.1.0_r0.16 android-gs-raviole-5.10-s-v2-beta-3 android-gs-raviole-5.10-android12L

add size checking before we access params. Bug: 206128522 Test: manually test with test_poc on bug Change-Id: Iac01ea063990521a8a89f186a07a157678295816 Signed-off-by: Robert Lee <lerobert@google.com>
author: Robert Lee <lerobert@google.com> 2021-12-28 09:46:53 +0000
committer: Robert Lee <lerobert@google.com> 2022-01-03 02:10:56 +0000
commit: 1c1804f861b93dc6f8631fbef63a54883d39e14d (patch)
tree: 461f747e39a0e39fd54bb1f94b2ab2e984326c65
parent: fe99fc4e78bc067a99fd320b2fe27715e77c2392 (diff)
download: amplifiers-1c1804f861b93dc6f8631fbef63a54883d39e14d.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/audiometrics/audiometrics.c b/audiometrics/audiometrics.c
index 735b42f..1014b16 100644
--- a/audiometrics/audiometrics.c
+++ b/audiometrics/audiometrics.c
@@ -376,6 +376,11 @@ static long amcs_cdev_unlocked_ioctl(struct file *file, unsigned int cmd, unsign
 		return ret;
 	}
 
+	if (sizeof(params) != _IOC_SIZE(cmd)) {
+		dev_err(&amcs_pdev->dev, "%s: size of cmd 0x%08x is invalid\n", __func__, cmd);
+		return ret;
+	}
+
 	if (copy_from_user(&params, (struct amcs_params *)arg, _IOC_SIZE(cmd)))
 		return ret;
author	Robert Lee <lerobert@google.com>	2021-12-28 09:46:53 +0000
committer	Robert Lee <lerobert@google.com>	2022-01-03 02:10:56 +0000
commit	1c1804f861b93dc6f8631fbef63a54883d39e14d (patch)
tree	461f747e39a0e39fd54bb1f94b2ab2e984326c65
parent	fe99fc4e78bc067a99fd320b2fe27715e77c2392 (diff)
download	amplifiers-1c1804f861b93dc6f8631fbef63a54883d39e14d.tar.gz