summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorGwendal Grignou <gwendal@chromium.org>2016-03-08 09:13:52 -0800
committerOlof Johansson <olof@lixom.net>2016-05-11 11:55:47 -0700
commit5d749d0bbe811c10d9048cde6dfebc761713abfd (patch)
tree7f8497b6fa3125c0f7256dab097a73fbdc34bc58 /include
parent492ef7829d2d09428803bffb187d5781bbc12ca5 (diff)
downloadlinux-stable-5d749d0bbe811c10d9048cde6dfebc761713abfd.tar.gz
linux-stable-5d749d0bbe811c10d9048cde6dfebc761713abfd.tar.bz2
linux-stable-5d749d0bbe811c10d9048cde6dfebc761713abfd.zip
platform/chrome: cros_ec_dev - Fix security issue
Prevent memory scribble by checking that ioctl buffer size parameters are sane. Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and .outsize the amount to scribble, we would overflow, allocate a small amounts and be able to write outside of the malloc'ed area. Adding a hard limit allows argument checking of the ioctl. With the current EC, it is expected .insize and .outsize to be at around 512 bytes or less. Signed-off-by: Gwendal Grignou <gwendal@chromium.org> Signed-off-by: Olof Johansson <olof@lixom.net>
Diffstat (limited to 'include')
-rw-r--r--include/linux/mfd/cros_ec.h6
1 files changed, 4 insertions, 2 deletions
diff --git a/include/linux/mfd/cros_ec.h b/include/linux/mfd/cros_ec.h
index a677c2bd485c..64184d27e3cd 100644
--- a/include/linux/mfd/cros_ec.h
+++ b/include/linux/mfd/cros_ec.h
@@ -50,9 +50,11 @@ enum {
EC_MSG_TX_TRAILER_BYTES,
EC_MSG_RX_PROTO_BYTES = 3,
- /* Max length of messages */
- EC_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE +
+ /* Max length of messages for proto 2*/
+ EC_PROTO2_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE +
EC_MSG_TX_PROTO_BYTES,
+
+ EC_MAX_MSG_BYTES = 64 * 1024,
};
/*