Commit 0b050950 authored by Todd Kjos's avatar Todd Kjos Committed by Greg Kroah-Hartman

binder: check for overflow when alloc for security context

When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.
Signed-off-by: default avatarTodd Kjos <tkjos@google.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent d2f4a83f
...@@ -3121,6 +3121,7 @@ static void binder_transaction(struct binder_proc *proc, ...@@ -3121,6 +3121,7 @@ static void binder_transaction(struct binder_proc *proc,
if (target_node && target_node->txn_security_ctx) { if (target_node && target_node->txn_security_ctx) {
u32 secid; u32 secid;
size_t added_size;
security_task_getsecid(proc->tsk, &secid); security_task_getsecid(proc->tsk, &secid);
ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
...@@ -3130,7 +3131,15 @@ static void binder_transaction(struct binder_proc *proc, ...@@ -3130,7 +3131,15 @@ static void binder_transaction(struct binder_proc *proc,
return_error_line = __LINE__; return_error_line = __LINE__;
goto err_get_secctx_failed; goto err_get_secctx_failed;
} }
extra_buffers_size += ALIGN(secctx_sz, sizeof(u64)); added_size = ALIGN(secctx_sz, sizeof(u64));
extra_buffers_size += added_size;
if (extra_buffers_size < added_size) {
/* integer overflow of extra_buffers_size */
return_error = BR_FAILED_REPLY;
return_error_param = EINVAL;
return_error_line = __LINE__;
goto err_bad_extra_size;
}
} }
trace_binder_transaction(reply, t, target_node); trace_binder_transaction(reply, t, target_node);
...@@ -3480,6 +3489,7 @@ static void binder_transaction(struct binder_proc *proc, ...@@ -3480,6 +3489,7 @@ static void binder_transaction(struct binder_proc *proc,
t->buffer->transaction = NULL; t->buffer->transaction = NULL;
binder_alloc_free_buf(&target_proc->alloc, t->buffer); binder_alloc_free_buf(&target_proc->alloc, t->buffer);
err_binder_alloc_buf_failed: err_binder_alloc_buf_failed:
err_bad_extra_size:
if (secctx) if (secctx)
security_release_secctx(secctx, secctx_sz); security_release_secctx(secctx, secctx_sz);
err_get_secctx_failed: err_get_secctx_failed:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment