From 7c1c6f257839a27d395324d133bc4bdac263af93 Mon Sep 17 00:00:00 2001
From: Patrick Tjin <pattjin@google.com>
Date: Tue, 13 Oct 2015 08:06:00 -0700
Subject: [PATCH] msm: ipc_socket: fix leak of kernel memory to userspace

Limit the size of copy to the minimum of what was asked
for or the number of results returned to prevent leaking of
uninitialized kernel memory to userspace.

Bug: 24157888

Signed-off-by: Patrick Tjin <pattjin@google.com>
Change-Id: I39f2e56716a1543aa6e3fa42140dc18cc470faf9
---
 arch/arm/mach-msm/ipc_socket.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/arch/arm/mach-msm/ipc_socket.c b/arch/arm/mach-msm/ipc_socket.c
index 515dc92bb9b6..d199c6a40fb8 100644
--- a/arch/arm/mach-msm/ipc_socket.c
+++ b/arch/arm/mach-msm/ipc_socket.c
@@ -533,16 +533,20 @@ static int msm_ipc_router_ioctl(struct socket *sock,
 			break;
 		}
 		server_arg.num_entries_found = ret;
-
 		ret = copy_to_user((void *)arg, &server_arg,
 				   sizeof(server_arg));
-		if (srv_info_sz) {
+
+		n = min(server_arg.num_entries_found,
+			server_arg.num_entries_in_array);
+
+		if (ret == 0 && n) {
 			ret = copy_to_user((void *)(arg + sizeof(server_arg)),
-					   srv_info, srv_info_sz);
-			if (ret)
-				ret = -EFAULT;
-			kfree(srv_info);
+					   srv_info, n * sizeof (*srv_info));
 		}
+
+		if (ret)
+			ret = -EFAULT;
+		kfree(srv_info);
 		break;
 
 	case IPC_ROUTER_IOCTL_BIND_CONTROL_PORT:
-- 
GitLab