From 9b655e9328416db65ae90a57fcadf9b2265bb646 Mon Sep 17 00:00:00 2001 From: Lee Jones Date: Tue, 11 Jul 2023 17:20:13 +0000 Subject: [PATCH] ANDROID: Incremental fs: Allocate data buffer based on input request size Presently the data buffer used to return the per-UID timeout description is created based on information provided by the user. It is expected that the user populates a variable called 'timeouts_array_size' which is heavily scrutinised to ensure the value provided is appropriate i.e. smaller than the largest possible value but large enough to contain all of the data we wish to pass back. The issue is that the aforementioned scrutiny is imposed on a different variable to the one expected. Contrary to expectation, the data buffer is actually being allocated to the size specified in a variable named 'timeouts_array_size_out'. A variable originally designed to only contain the output information i.e. the size of the data actually copied to the user for consumption. This value is also user provided and is not given the same level of scrutiny as the former. The fix in this case is simple. Ignore 'timeouts_array_size_out' until it is time to populate (over-write) it ourselves and use 'timeouts_array_size' to shape the buffer as intended. Bug: 281547360 Change-Id: I95e12879a33a2355f9e4bc0ce2bfc3f229141aa8 Signed-off-by: Lee Jones (cherry picked from commit 5a4d20a3eb4e651f88ed2f1f08cee066639ca801) --- fs/incfs/pseudo_files.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/incfs/pseudo_files.c b/fs/incfs/pseudo_files.c index 57c3353666ee..814d7063581a 100644 --- a/fs/incfs/pseudo_files.c +++ b/fs/incfs/pseudo_files.c @@ -918,10 +918,10 @@ static long ioctl_get_read_timeouts(struct mount_info *mi, void __user *arg) if (copy_from_user(&args, args_usr_ptr, sizeof(args))) return -EINVAL; - if (args.timeouts_array_size_out > INCFS_DATA_FILE_BLOCK_SIZE) + if (args.timeouts_array_size > INCFS_DATA_FILE_BLOCK_SIZE) return -EINVAL; - buffer = kzalloc(args.timeouts_array_size_out, GFP_NOFS); + buffer = kzalloc(args.timeouts_array_size, GFP_NOFS); if (!buffer) return -ENOMEM;