divestos-build/Patches/Linux_CVEs/CVE-2017-0457/3.10/0001.patch

From 7d87c5cf051c49c7b3bdb8abe4051b0aef41c87d Mon Sep 17 00:00:00 2001
From: Sathish Ambley <sathishambley@codeaurora.org>
Date: Tue, 13 Dec 2016 15:27:30 -0800
Subject: msm: ADSPRPC: Buffer length to be copied is truncated

The buffer length that is being used to allocate gets truncated
due to it being assigned to wrong type causing a much smaller
buffer to be allocated than what is required for copying.

Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
---
 drivers/char/adsprpc.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index f505d09..1224843 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -787,9 +787,9 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
 	void *args;
 	remote_arg_t *pra = ctx->pra;
 	remote_arg_t *rpra = ctx->rpra;
-	ssize_t rlen, used, size;
+	ssize_t rlen, used, size, copylen = 0;
 	uint32_t sc = ctx->sc, start;
-	int i, inh, bufs = 0, err = 0, oix, copylen = 0;
+	int i, inh, bufs = 0, err = 0, oix;
 	int inbufs = REMOTE_SCALARS_INBUFS(sc);
 	int outbufs = REMOTE_SCALARS_OUTBUFS(sc);
 	int cid = ctx->fdata->cid;
@@ -838,13 +838,23 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
 	/* calculate len requreed for copying */
 	for (oix = 0; oix < inbufs + outbufs; ++oix) {
 		int i = ctx->overps[oix]->raix;
+		uintptr_t mstart, mend;
+
 		if (!pra[i].buf.len)
 			continue;
 		if (list[i].num)
 			continue;
 		if (ctx->overps[oix]->offset == 0)
 			copylen = ALIGN(copylen, BALIGN);
-		copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
+		mstart = ctx->overps[oix]->mstart;
+		mend = ctx->overps[oix]->mend;
+		VERIFY(err, (mend - mstart) <= LONG_MAX);
+		if (err)
+			goto bail;
+		copylen += mend - mstart;
+		VERIFY(err, copylen >= 0);
+		if (err)
+			goto bail;
 	}
 
 	/* alocate new buffer */
@@ -870,7 +880,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
 	/* copy non ion buffers */
 	for (oix = 0; oix < inbufs + outbufs; ++oix) {
 		int i = ctx->overps[oix]->raix;
-		int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
+		ssize_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
 		if (!pra[i].buf.len)
 			continue;
 		if (list[i].num)
-- 
cgit v1.1
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`From 7d87c5cf051c49c7b3bdb8abe4051b0aef41c87d Mon Sep 17 00:00:00 2001`
			`From: Sathish Ambley <sathishambley@codeaurora.org>`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`Date: Tue, 13 Dec 2016 15:27:30 -0800`
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`Subject: msm: ADSPRPC: Buffer length to be copied is truncated`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00
			`The buffer length that is being used to allocate gets truncated`
			`due to it being assigned to wrong type causing a much smaller`
			`buffer to be allocated than what is required for copying.`

			`Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7`
			`Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>`
			`---`
			`drivers/char/adsprpc.c \| 18 ++++++++++++++----`
			`1 file changed, 14 insertions(+), 4 deletions(-)`

			`diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c`
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`index f505d09..1224843 100644`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`--- a/drivers/char/adsprpc.c`
			`+++ b/drivers/char/adsprpc.c`
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`@@ -787,9 +787,9 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`void *args;`
			`remote_arg_t *pra = ctx->pra;`
			`remote_arg_t *rpra = ctx->rpra;`
			`- ssize_t rlen, used, size;`
			`+ ssize_t rlen, used, size, copylen = 0;`
			`uint32_t sc = ctx->sc, start;`
			`- int i, inh, bufs = 0, err = 0, oix, copylen = 0;`
			`+ int i, inh, bufs = 0, err = 0, oix;`
			`int inbufs = REMOTE_SCALARS_INBUFS(sc);`
			`int outbufs = REMOTE_SCALARS_OUTBUFS(sc);`
			`int cid = ctx->fdata->cid;`
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`@@ -838,13 +838,23 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`/* calculate len requreed for copying */`
			`for (oix = 0; oix < inbufs + outbufs; ++oix) {`
			`int i = ctx->overps[oix]->raix;`
			`+ uintptr_t mstart, mend;`
			`+`
			`if (!pra[i].buf.len)`
			`continue;`
			`if (list[i].num)`
			`continue;`
			`if (ctx->overps[oix]->offset == 0)`
			`copylen = ALIGN(copylen, BALIGN);`
			`- copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart;`
			`+ mstart = ctx->overps[oix]->mstart;`
			`+ mend = ctx->overps[oix]->mend;`
			`+ VERIFY(err, (mend - mstart) <= LONG_MAX);`
			`+ if (err)`
			`+ goto bail;`
			`+ copylen += mend - mstart;`
			`+ VERIFY(err, copylen >= 0);`
			`+ if (err)`
			`+ goto bail;`
			`}`

			`/* alocate new buffer */`
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`@@ -870,7 +880,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`/* copy non ion buffers */`
			`for (oix = 0; oix < inbufs + outbufs; ++oix) {`
			`int i = ctx->overps[oix]->raix;`
			`- int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;`
			`+ ssize_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;`
			`if (!pra[i].buf.len)`
			`continue;`
			`if (list[i].num)`
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`--`
			`cgit v1.1`