binder: fix incorrect calculation for num_valid
For BINDER_TYPE_PTR and BINDER_TYPE_FDA transactions, the
num_valid local was calculated incorrectly causing the
range check in binder_validate_ptr() to miss out-of-bounds
offsets.
Fixes: bde4a19fc0 ("binder: use userspace pointer as base of buffer space")
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191213202531.55010-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Todd Kjos
Greg Kroah-Hartman
Родитель
3e42fe5c73
Коммит
1698174271
|
|
@ -3310,7 +3310,7 @@ static void binder_transaction(struct binder_proc *proc,
|
||||||
binder_size_t parent_offset;
|
binder_size_t parent_offset;
|
||||||
struct binder_fd_array_object *fda =
|
struct binder_fd_array_object *fda =
|
||||||
to_binder_fd_array_object(hdr);
|
to_binder_fd_array_object(hdr);
|
||||||
size_t num_valid = (buffer_offset - off_start_offset) *
|
size_t num_valid = (buffer_offset - off_start_offset) /
|
||||||
sizeof(binder_size_t);
|
sizeof(binder_size_t);
|
||||||
struct binder_buffer_object *parent =
|
struct binder_buffer_object *parent =
|
||||||
binder_validate_ptr(target_proc, t->buffer,
|
binder_validate_ptr(target_proc, t->buffer,
|
||||||
|
|
@ -3384,7 +3384,7 @@ static void binder_transaction(struct binder_proc *proc,
|
||||||
t->buffer->user_data + sg_buf_offset;
|
t->buffer->user_data + sg_buf_offset;
|
||||||
sg_buf_offset += ALIGN(bp->length, sizeof(u64));
|
sg_buf_offset += ALIGN(bp->length, sizeof(u64));
|
||||||
|
|
||||||
num_valid = (buffer_offset - off_start_offset) *
|
num_valid = (buffer_offset - off_start_offset) /
|
||||||
sizeof(binder_size_t);
|
sizeof(binder_size_t);
|
||||||
ret = binder_fixup_parent(t, thread, bp,
|
ret = binder_fixup_parent(t, thread, bp,
|
||||||
off_start_offset,
|
off_start_offset,
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче