diff options
author | Swetha Chikkaboraiah <schikk@codeaurora.org> | 2016-01-27 11:46:54 +0530 |
---|---|---|
committer | Devin Kim <dojip.kim@lge.com> | 2016-05-23 07:45:47 -0700 |
commit | 504f3357f3ef296bf5ccbfe05df2025fa41eb354 (patch) | |
tree | c61f39119872eec917aaaffdad33ca64b63fd65d | |
parent | 05d98bc9eecf41008b7eca23d6a9b97674ee0c5d (diff) |
msm: perf: Protect buffer overflow due to malicious userandroid-wear-6.0.1_r0.26
In function krait_pmu_disable_event, parameter hwc comes from
userspace and is untrusted.The function krait_clearpmu is called
after the function get_krait_evtinfo.
Function get_krait_evtinfo as parameter krait_evt_type variable
which is used to extract the groupcode(reg) which is bound to
KRAIT_MAX_L1_REG (is 3). After validation,one code path modifies
groupcode(reg):If this code path executes, groupcode(reg) can be
3,4, 5, or 6. In krait_clearpmu groupcode used to access array
krait_functions whose size is 3. Since groupcode can be 3,4,5,6
accessing array krait_functions lead to bufferoverlflow.
This change will validate groupcode not to exceed 3.
Change-Id: I48c92adda137d8a074b4e1a367a468195a810ca1
CRs-fixed: 962450
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
-rw-r--r-- | arch/arm/kernel/perf_event_msm_krait.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/arch/arm/kernel/perf_event_msm_krait.c b/arch/arm/kernel/perf_event_msm_krait.c index 49aae5a66b65..34f9b4e5b099 100644 --- a/arch/arm/kernel/perf_event_msm_krait.c +++ b/arch/arm/kernel/perf_event_msm_krait.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011-2014, The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2014, 2016 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -208,9 +208,6 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type, code = (krait_evt_type & 0x00FF0) >> 4; group = krait_evt_type & 0x0000F; - if ((group > 3) || (reg > KRAIT_MAX_L1_REG)) - return -EINVAL; - if (prefix != KRAIT_EVT_PREFIX && prefix != KRAIT_VENUMEVT_PREFIX) return -EINVAL; @@ -221,6 +218,9 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type, reg += VENUM_BASE_OFFSET; } + if ((group > 3) || (reg > KRAIT_MAX_L1_REG)) + return -EINVAL; + evtinfo->group_setval = 0x80000000 | (code << (group * 8)); evtinfo->groupcode = reg; evtinfo->armv7_evt_type = evt_type_base[reg] | group; |