diff options
author | Robert Lee <lerobert@google.com> | 2021-12-28 09:46:53 +0000 |
---|---|---|
committer | Robert Lee <lerobert@google.com> | 2022-01-03 02:10:56 +0000 |
commit | 1c1804f861b93dc6f8631fbef63a54883d39e14d (patch) | |
tree | 461f747e39a0e39fd54bb1f94b2ab2e984326c65 | |
parent | fe99fc4e78bc067a99fd320b2fe27715e77c2392 (diff) | |
download | amplifiers-1c1804f861b93dc6f8631fbef63a54883d39e14d.tar.gz |
amcs: fix stack buffer OOB write vulnerabilityandroid-s-v2-beta-3_r0.6android-12.1.0_r0.6android-12.1.0_r0.22android-12.1.0_r0.16android-gs-raviole-5.10-s-v2-beta-3android-gs-raviole-5.10-android12L
add size checking before we access params.
Bug: 206128522
Test: manually test with test_poc on bug
Change-Id: Iac01ea063990521a8a89f186a07a157678295816
Signed-off-by: Robert Lee <lerobert@google.com>
-rw-r--r-- | audiometrics/audiometrics.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/audiometrics/audiometrics.c b/audiometrics/audiometrics.c index 735b42f..1014b16 100644 --- a/audiometrics/audiometrics.c +++ b/audiometrics/audiometrics.c @@ -376,6 +376,11 @@ static long amcs_cdev_unlocked_ioctl(struct file *file, unsigned int cmd, unsign return ret; } + if (sizeof(params) != _IOC_SIZE(cmd)) { + dev_err(&amcs_pdev->dev, "%s: size of cmd 0x%08x is invalid\n", __func__, cmd); + return ret; + } + if (copy_from_user(¶ms, (struct amcs_params *)arg, _IOC_SIZE(cmd))) return ret; |