platform/chrome: cros_ec_dev - Fix security issue

commit 5d749d0bbe811c10d9048cde6dfebc761713abfd upstream. Prevent memory scribble by checking that ioctl buffer size parameters are sane. Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and .outsize the amount to scribble, we would overflow, allocate a small amounts and be able to write outside of the malloc'ed area. Adding a hard limit allows argument checking of the ioctl. With the current EC, it is expected .insize and .outsize to be at around 512 bytes or less. Signed-off-by: Gwendal Grignou <gwendal@chromium.org> Signed-off-by: Olof Johansson <olof@lixom.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Gwendal Grignou <gwendal@chromium.org> 2016-03-08 09:13:52 -0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-03-24 10:57:00 +0100
commit: 9c53f0065310ac5e85f6f3b278b6a31e940f78f9 (patch)
tree: 9995e75065540de0e36de6a7e81d8a9fcd3eeadd /include/linux/mfd
parent: 01865de78a64b4352d77f66e4e9bb0b13ed75777 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/include/linux/mfd/cros_ec.h b/include/linux/mfd/cros_ec.h
index 3ab3cede28ea..93c14e9df630 100644
--- a/include/linux/mfd/cros_ec.h
+++ b/include/linux/mfd/cros_ec.h
@@ -50,9 +50,11 @@ enum {
 					EC_MSG_TX_TRAILER_BYTES,
 	EC_MSG_RX_PROTO_BYTES	= 3,
 
-	/* Max length of messages */
-	EC_MSG_BYTES		= EC_PROTO2_MAX_PARAM_SIZE +
+	/* Max length of messages for proto 2*/
+	EC_PROTO2_MSG_BYTES		= EC_PROTO2_MAX_PARAM_SIZE +
 					EC_MSG_TX_PROTO_BYTES,
+
+	EC_MAX_MSG_BYTES		= 64 * 1024,
 };
 
 /*
author	Gwendal Grignou <gwendal@chromium.org>	2016-03-08 09:13:52 -0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-03-24 10:57:00 +0100
commit	9c53f0065310ac5e85f6f3b278b6a31e940f78f9 (patch)
tree	9995e75065540de0e36de6a7e81d8a9fcd3eeadd /include/linux/mfd
parent	01865de78a64b4352d77f66e4e9bb0b13ed75777 (diff)