From fb9e85a66cf78be6ce4d407506b84ec64f7eafb8 Mon Sep 17 00:00:00 2001 From: chengjia4574 <chengjia4574@gmail.com> Date: Wed, 9 Dec 2015 13:47:19 -0800 Subject: [PATCH] msm: arm: krait: Patch for krait array access out of bound Current array-bound-check does not cover all cases. An attacker can use this loophole to redirect $PC to attacker-controlled functions. The fix is to move the existing array-bound-check to a later location to cover all cases. Bug: 25773204 Change-Id: I06f1f34b97ceedcd919e6ad00b60871d4c88df82 Signed-off-by: Yuan Lin <yualin@google.com> --- arch/arm/kernel/perf_event_msm_krait.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm/kernel/perf_event_msm_krait.c b/arch/arm/kernel/perf_event_msm_krait.c index 1fb5fd320b49..f514b689d8a3 100644 --- a/arch/arm/kernel/perf_event_msm_krait.c +++ b/arch/arm/kernel/perf_event_msm_krait.c @@ -219,9 +219,6 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type, code = (krait_evt_type & 0x00FF0) >> 4; group = krait_evt_type & 0x0000F; - if ((group > 3) || (reg > krait_max_l1_reg)) - return -EINVAL; - if (prefix != KRAIT_EVT_PREFIX && prefix != KRAIT_VENUMEVT_PREFIX) return -EINVAL; @@ -232,6 +229,9 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type, reg += VENUM_BASE_OFFSET; } + if ((group > 3) || (reg > krait_max_l1_reg)) + return -EINVAL; + evtinfo->group_setval = 0x80000000 | (code << (group * 8)); evtinfo->groupcode = reg; evtinfo->armv7_evt_type = evt_type_base[evt_index][reg] | group; -- GitLab