From de02da7990c865cd7a2f1b5685a4d232504dc1ec Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco at android.com>
Date: Thu, 17 Oct 2019 17:16:26 +0800
Subject: [PATCH] Android Security Bulletin - November 2019-11 - Kernel
 components binder driver - CVE-2019-2214 [1/1]

PD#OTT-6799

Problem:
In case the target node requests a security context, the
extra_buffers_size is increased with the size of the security context.
But, that size is not available for use by regular scatter-gather
buffers;

Solution:
make sure the ending of that buffer is marked correctly.

Verify:
Raven

Change-Id: I896f86a92a4b937a7a731ce9839ff53a700b298a
Signed-off-by: Martijn Coenen <maco at android.com>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
---
 drivers/android/binder.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index fe5ba6762335..27c38b550f9e 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3334,7 +3334,8 @@ static void binder_transaction(struct binder_proc *proc,
 	buffer_offset = off_start_offset;
 	off_end_offset = off_start_offset + tr->offsets_size;
 	sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
-	sg_buf_end_offset = sg_buf_offset + extra_buffers_size;
+	sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
+	     ALIGN(secctx_sz, sizeof(u64));
 	off_min = 0;
 	for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
 	     buffer_offset += sizeof(binder_size_t)) {