diff options
| author | Gwendal Grignou <gwendal@chromium.org> | 2016-03-08 12:13:52 -0500 |
|---|---|---|
| committer | Olof Johansson <olof@lixom.net> | 2016-05-11 14:55:47 -0400 |
| commit | 5d749d0bbe811c10d9048cde6dfebc761713abfd (patch) | |
| tree | 7f8497b6fa3125c0f7256dab097a73fbdc34bc58 /include/linux/mfd | |
| parent | 492ef7829d2d09428803bffb187d5781bbc12ca5 (diff) | |
platform/chrome: cros_ec_dev - Fix security issue
Prevent memory scribble by checking that ioctl buffer size parameters
are sane.
Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and
.outsize the amount to scribble, we would overflow, allocate a small
amounts and be able to write outside of the malloc'ed area.
Adding a hard limit allows argument checking of the ioctl. With the
current EC, it is expected .insize and .outsize to be at around 512 bytes
or less.
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Diffstat (limited to 'include/linux/mfd')
| -rw-r--r-- | include/linux/mfd/cros_ec.h | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/include/linux/mfd/cros_ec.h b/include/linux/mfd/cros_ec.h index a677c2bd485c..64184d27e3cd 100644 --- a/include/linux/mfd/cros_ec.h +++ b/include/linux/mfd/cros_ec.h | |||
| @@ -50,9 +50,11 @@ enum { | |||
| 50 | EC_MSG_TX_TRAILER_BYTES, | 50 | EC_MSG_TX_TRAILER_BYTES, |
| 51 | EC_MSG_RX_PROTO_BYTES = 3, | 51 | EC_MSG_RX_PROTO_BYTES = 3, |
| 52 | 52 | ||
| 53 | /* Max length of messages */ | 53 | /* Max length of messages for proto 2*/ |
| 54 | EC_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE + | 54 | EC_PROTO2_MSG_BYTES = EC_PROTO2_MAX_PARAM_SIZE + |
| 55 | EC_MSG_TX_PROTO_BYTES, | 55 | EC_MSG_TX_PROTO_BYTES, |
| 56 | |||
| 57 | EC_MAX_MSG_BYTES = 64 * 1024, | ||
| 56 | }; | 58 | }; |
| 57 | 59 | ||
| 58 | /* | 60 | /* |