diff options
| author | Todd Kjos <tkjos@android.com> | 2019-12-13 12:25:31 -0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-14 09:10:47 +0100 |
| commit | 16981742717b04644a41052570fb502682a315d2 (patch) | |
| tree | 81e6f0d2bf4db7382e7aaf6064ffd0e481dca03b /drivers | |
| parent | 3e42fe5c73108a6e68c98bc0df937888e35af97f (diff) | |
| download | linux-stable-16981742717b04644a41052570fb502682a315d2.tar.gz linux-stable-16981742717b04644a41052570fb502682a315d2.tar.bz2 linux-stable-16981742717b04644a41052570fb502682a315d2.zip | |
binder: fix incorrect calculation for num_valid
For BINDER_TYPE_PTR and BINDER_TYPE_FDA transactions, the
num_valid local was calculated incorrectly causing the
range check in binder_validate_ptr() to miss out-of-bounds
offsets.
Fixes: bde4a19fc04f ("binder: use userspace pointer as base of buffer space")
Signed-off-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191213202531.55010-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/android/binder.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index e9bc9fcc7ea5..b2dad43dbf82 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3310,7 +3310,7 @@ static void binder_transaction(struct binder_proc *proc, binder_size_t parent_offset; struct binder_fd_array_object *fda = to_binder_fd_array_object(hdr); - size_t num_valid = (buffer_offset - off_start_offset) * + size_t num_valid = (buffer_offset - off_start_offset) / sizeof(binder_size_t); struct binder_buffer_object *parent = binder_validate_ptr(target_proc, t->buffer, @@ -3384,7 +3384,7 @@ static void binder_transaction(struct binder_proc *proc, t->buffer->user_data + sg_buf_offset; sg_buf_offset += ALIGN(bp->length, sizeof(u64)); - num_valid = (buffer_offset - off_start_offset) * + num_valid = (buffer_offset - off_start_offset) / sizeof(binder_size_t); ret = binder_fixup_parent(t, thread, bp, off_start_offset, |