On 03/02/16 21:58, Gwendal Grignou wrote: > Add a check to prevent memory scribbe when sending an ioctl with .insize
scribble > set so large that memory allocation argument overflows. > > Signed-off-by: Gwendal Grignou <gwen...@chromium.org> > --- > drivers/platform/chrome/cros_ec_dev.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/drivers/platform/chrome/cros_ec_dev.c > b/drivers/platform/chrome/cros_ec_dev.c > index d45cd25..86d6373 100644 > --- a/drivers/platform/chrome/cros_ec_dev.c > +++ b/drivers/platform/chrome/cros_ec_dev.c > @@ -131,13 +131,23 @@ static ssize_t ec_device_read(struct file *filp, char > __user *buffer, > static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg) > { > long ret; > + size_t data_size; > struct cros_ec_command u_cmd; > struct cros_ec_command *s_cmd; > > if (copy_from_user(&u_cmd, arg, sizeof(u_cmd))) > return -EFAULT; > > - s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize), > + /* > + * Prevent mallicious attack where .inside is so big that amount malicious .insize > + * kmalloc'ed rollover, allowing memcpy to write beyond the allocated > + * space. > + */ > + data_size = max(u_cmd.outsize, u_cmd.insize); > + if (data_size + sizeof(*s_cmd) < data_size) > + return -EINVAL; > + > + s_cmd = kmalloc(sizeof(*s_cmd) + data_size, > GFP_KERNEL); > if (!s_cmd) > return -ENOMEM; > -- ~Randy