diff options
Diffstat (limited to 'drivers/android/binder.c')
| -rw-r--r-- | drivers/android/binder.c | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 01f80cbd2741..5ddb2a4d893e 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c | |||
| @@ -3078,8 +3078,12 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 3078 | ALIGN(tr->data_size, sizeof(void *))); | 3078 | ALIGN(tr->data_size, sizeof(void *))); |
| 3079 | offp = off_start; | 3079 | offp = off_start; |
| 3080 | 3080 | ||
| 3081 | if (copy_from_user(t->buffer->data, (const void __user *)(uintptr_t) | 3081 | if (binder_alloc_copy_user_to_buffer( |
| 3082 | tr->data.ptr.buffer, tr->data_size)) { | 3082 | &target_proc->alloc, |
| 3083 | t->buffer, 0, | ||
| 3084 | (const void __user *) | ||
| 3085 | (uintptr_t)tr->data.ptr.buffer, | ||
| 3086 | tr->data_size)) { | ||
| 3083 | binder_user_error("%d:%d got transaction with invalid data ptr\n", | 3087 | binder_user_error("%d:%d got transaction with invalid data ptr\n", |
| 3084 | proc->pid, thread->pid); | 3088 | proc->pid, thread->pid); |
| 3085 | return_error = BR_FAILED_REPLY; | 3089 | return_error = BR_FAILED_REPLY; |
| @@ -3087,8 +3091,13 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 3087 | return_error_line = __LINE__; | 3091 | return_error_line = __LINE__; |
| 3088 | goto err_copy_data_failed; | 3092 | goto err_copy_data_failed; |
| 3089 | } | 3093 | } |
| 3090 | if (copy_from_user(offp, (const void __user *)(uintptr_t) | 3094 | if (binder_alloc_copy_user_to_buffer( |
| 3091 | tr->data.ptr.offsets, tr->offsets_size)) { | 3095 | &target_proc->alloc, |
| 3096 | t->buffer, | ||
| 3097 | ALIGN(tr->data_size, sizeof(void *)), | ||
| 3098 | (const void __user *) | ||
| 3099 | (uintptr_t)tr->data.ptr.offsets, | ||
| 3100 | tr->offsets_size)) { | ||
| 3092 | binder_user_error("%d:%d got transaction with invalid offsets ptr\n", | 3101 | binder_user_error("%d:%d got transaction with invalid offsets ptr\n", |
| 3093 | proc->pid, thread->pid); | 3102 | proc->pid, thread->pid); |
| 3094 | return_error = BR_FAILED_REPLY; | 3103 | return_error = BR_FAILED_REPLY; |
| @@ -3217,6 +3226,8 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 3217 | struct binder_buffer_object *bp = | 3226 | struct binder_buffer_object *bp = |
| 3218 | to_binder_buffer_object(hdr); | 3227 | to_binder_buffer_object(hdr); |
| 3219 | size_t buf_left = sg_buf_end - sg_bufp; | 3228 | size_t buf_left = sg_buf_end - sg_bufp; |
| 3229 | binder_size_t sg_buf_offset = (uintptr_t)sg_bufp - | ||
| 3230 | (uintptr_t)t->buffer->data; | ||
| 3220 | 3231 | ||
| 3221 | if (bp->length > buf_left) { | 3232 | if (bp->length > buf_left) { |
| 3222 | binder_user_error("%d:%d got transaction with too large buffer\n", | 3233 | binder_user_error("%d:%d got transaction with too large buffer\n", |
| @@ -3226,9 +3237,13 @@ static void binder_transaction(struct binder_proc *proc, | |||
| 3226 | return_error_line = __LINE__; | 3237 | return_error_line = __LINE__; |
| 3227 | goto err_bad_offset; | 3238 | goto err_bad_offset; |
| 3228 | } | 3239 | } |
| 3229 | if (copy_from_user(sg_bufp, | 3240 | if (binder_alloc_copy_user_to_buffer( |
| 3230 | (const void __user *)(uintptr_t) | 3241 | &target_proc->alloc, |
| 3231 | bp->buffer, bp->length)) { | 3242 | t->buffer, |
| 3243 | sg_buf_offset, | ||
| 3244 | (const void __user *) | ||
| 3245 | (uintptr_t)bp->buffer, | ||
| 3246 | bp->length)) { | ||
| 3232 | binder_user_error("%d:%d got transaction with invalid offsets ptr\n", | 3247 | binder_user_error("%d:%d got transaction with invalid offsets ptr\n", |
| 3233 | proc->pid, thread->pid); | 3248 | proc->pid, thread->pid); |
| 3234 | return_error_param = -EFAULT; | 3249 | return_error_param = -EFAULT; |