anthias: security patch: CVE-2016-3775android-wear-6.0.1_r0.51

ANDROID-28588279 Change-Id: Icd0dca9b8481a4de8ce597cb3ae45ceb109e1acb Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/244392 Reviewed-by: Hammer_Tsao <Hammer_Tsao@asus.com> Reviewed-by: Carol_Jiang <carol_jiang@asus.com> Tested-by: Carol_Jiang <carol_jiang@asus.com>
author: Hammer_Tsao <Hammer_Tsao@asus.com> 2016-07-19 16:02:05 +0800
committer: Carol_Jiang <carol_jiang@asus.com> 2016-07-19 18:07:00 +0800
commit: 11949c61ddb9dca01913b955bf708a0f3f0dd038 (patch)
tree: 3d051eec6affb4696a4ca457d0fa753ec22e8f1f
parent: 26a8760be0e4cbbb2046a3f30bc10c0fc5ce4012 (diff)
1 files changed, 8 insertions, 3 deletions
diff --git a/fs/aio.c b/fs/aio.c
index ebd06fd0de89..032b4d16eea8 100644..100755
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -977,12 +977,17 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat)
 
 static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb)
 {
-	if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes)))
-		return -EFAULT;
+	size_t len = kiocb->ki_nbytes;
+
+	if (len > MAX_RW_COUNT)
+		len = MAX_RW_COUNT;
+
+	if (unlikely(!access_ok(!rw, kiocb->ki_buf, len)))
+                return -EFAULT;
 
 	kiocb->ki_iovec = &kiocb->ki_inline_vec;
 	kiocb->ki_iovec->iov_base = kiocb->ki_buf;
-	kiocb->ki_iovec->iov_len = kiocb->ki_nbytes;
+	kiocb->ki_iovec->iov_len = len;
 	kiocb->ki_nr_segs = 1;
 	return 0;
 }
author	Hammer_Tsao <Hammer_Tsao@asus.com>	2016-07-19 16:02:05 +0800
committer	Carol_Jiang <carol_jiang@asus.com>	2016-07-19 18:07:00 +0800
commit	11949c61ddb9dca01913b955bf708a0f3f0dd038 (patch)
tree	3d051eec6affb4696a4ca457d0fa753ec22e8f1f
parent	26a8760be0e4cbbb2046a3f30bc10c0fc5ce4012 (diff)