Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps()

If "qcaps.capsule_count" is ULONG_MAX then "qcaps.capsule_count + 1"
will overflow to zero and kcalloc() will return the ZERO_SIZE_PTR.  We
try to dereference it inside the loop and crash.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Ivan Hu <ivan.hu@canonical.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Fixes: ff6301dabc3c ("efi: Add efi_test driver for exporting UEFI runtime service interfaces")
Link: http://lkml.kernel.org/r/20171025100448.26056-2-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Dan Carpenter 7 years ago
parent
f34157878d
commit
092e72c9ed
1 changed files with 3 additions and 0 deletions
Unified View Show Diff Stats
  1. 3 0
      drivers/firmware/efi/test/efi_test.c

+ 3 - 0
drivers/firmware/efi/test/efi_test.c
View File 

@@ -593,6 +593,9 @@ static long efi_runtime_query_capsulecaps(unsigned long arg)
 
 	if (copy_from_user(&qcaps, qcaps_user, sizeof(qcaps)))
 
 	if (copy_from_user(&qcaps, qcaps_user, sizeof(qcaps)))
 
 		return -EFAULT;
 
 		return -EFAULT;
 
 
 
+	if (qcaps.capsule_count == ULONG_MAX)
 
+		return -EINVAL;
 
+
 
 	capsules = kcalloc(qcaps.capsule_count + 1,
 
 	capsules = kcalloc(qcaps.capsule_count + 1,
 
 			   sizeof(efi_capsule_header_t), GFP_KERNEL);
 
 			   sizeof(efi_capsule_header_t), GFP_KERNEL);
 
 	if (!capsules)
 
 	if (!capsules)