diff options
author | PixelBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com> | 2021-12-26 18:43:03 -0800 |
---|---|---|
committer | SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> | 2021-12-26 18:43:04 -0800 |
commit | 115f51134593407a5234154802c1829b66ab8f3c (patch) | |
tree | 02221855130c00d0efe22c7ced7dd5c6d76e9ce8 | |
parent | 2a57b06c215740c225180d3331ca765419ccdda4 (diff) | |
parent | 8d2feafc333603b9d0ede58c489aab788cb193dd (diff) | |
download | lwis-115f51134593407a5234154802c1829b66ab8f3c.tar.gz |
Merge android12-gs-pixel-5.10-sc-qpr2 into android12-gs-pixel-5.10-sc-v2
SBMerger: 410055097
Change-Id: I66989517dd4f472ea5dc0cb60151e68e36df2a66
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
-rw-r--r-- | lwis_ioctl.c | 5 | ||||
-rw-r--r-- | lwis_periodic_io.c | 24 |
2 files changed, 27 insertions, 2 deletions
diff --git a/lwis_ioctl.c b/lwis_ioctl.c index 7453d8b..8033da6 100644 --- a/lwis_ioctl.c +++ b/lwis_ioctl.c @@ -1097,6 +1097,11 @@ static int prepare_io_entry(struct lwis_client *client, struct lwis_io_entry *us struct lwis_device *lwis_dev = client->lwis_dev; entry_size = num_io_entries * sizeof(struct lwis_io_entry); + if (entry_size / sizeof(struct lwis_io_entry) != num_io_entries) { + dev_err(lwis_dev->dev, "Failed to prepare io entry due to integer overflow\n"); + return -EINVAL; + } + k_entries = kvmalloc(entry_size, GFP_KERNEL); if (!k_entries) { dev_err(lwis_dev->dev, "Failed to allocate periodic io entries\n"); diff --git a/lwis_periodic_io.c b/lwis_periodic_io.c index 061eced..6c7fed1 100644 --- a/lwis_periodic_io.c +++ b/lwis_periodic_io.c @@ -378,6 +378,26 @@ static int prepare_response(struct lwis_client *client, struct lwis_periodic_io } } + /* Check integer overflow.*/ + if (info->batch_size != 0 && read_entries != 0 && read_buf_size != 0) { + if (SIZE_MAX / (sizeof(struct lwis_periodic_io_result) * info->batch_size) < + read_entries || + SIZE_MAX / (read_entries * sizeof(struct lwis_periodic_io_result)) < + info->batch_size || + SIZE_MAX / read_buf_size < info->batch_size || + SIZE_MAX - (read_entries * sizeof(struct lwis_periodic_io_result) * + info->batch_size + + read_buf_size * info->batch_size) < + sizeof(struct lwis_periodic_io_response_header) || + SIZE_MAX - (read_entries * sizeof(struct lwis_periodic_io_result) * + info->batch_size + + sizeof(struct lwis_periodic_io_response_header)) < + (read_buf_size * info->batch_size)) { + pr_err_ratelimited("Failed to prepare response due to integer overflow\n"); + return -EINVAL; + } + } + /* Periodic io response payload consists of one response header and * batch_size of batches, each of which contains num_entries_per_period * pairs of lwis_periodic_io_result and its read_buf. */ @@ -427,10 +447,10 @@ void lwis_periodic_io_clean(struct lwis_periodic_io *periodic_io) int i; for (i = 0; i < periodic_io->info.num_io_entries; ++i) { if (periodic_io->info.io_entries[i].type == LWIS_IO_ENTRY_WRITE_BATCH) { - kfree(periodic_io->info.io_entries[i].rw_batch.buf); + kvfree(periodic_io->info.io_entries[i].rw_batch.buf); } } - kfree(periodic_io->info.io_entries); + kvfree(periodic_io->info.io_entries); /* resp may not be allocated before the periodic_io is successfully * submitted */ |