ANDROID: Incremental fs: Allocate data buffer based on input request size

Presently the data buffer used to return the per-UID timeout description is created based on information provided by the user. It is expected that the user populates a variable called 'timeouts_array_size' which is heavily scrutinised to ensure the value provided is appropriate i.e. smaller than the largest possible value but large enough to contain all of the data we wish to pass back. The issue is that the aforementioned scrutiny is imposed on a different variable to the one expected. Contrary to expectation, the data buffer is actually being allocated to the size specified in a variable named 'timeouts_array_size_out'. A variable originally designed to only contain the output information i.e. the size of the data actually copied to the user for consumption. This value is also user provided and is not given the same level of scrutiny as the former. The fix in this case is simple. Ignore 'timeouts_array_size_out' until it is time to populate (over-write) it ourselves and use 'timeouts_array_size' to shape the buffer as intended. Bug: 281547360 Change-Id: I95e12879a33a2355f9e4bc0ce2bfc3f229141aa8 Signed-off-by: Lee Jones <joneslee@google.com> (cherry picked from commit 5a4d20a3eb4e651f88ed2f1f08cee066639ca801)
2023-07-11 17:20:13 +00:00 · 2023-07-11 17:20:13 +00:00 · f48a4c3b29
commit f48a4c3b29
parent 4def2dd180
1 changed files with 2 additions and 2 deletions
--- a/fs/incfs/pseudo_files.c
+++ b/fs/incfs/pseudo_files.c
@ -916,10 +916,10 @@ static long ioctl_get_read_timeouts(struct mount_info *mi, void __user *arg)
 	if (copy_from_user(&args, args_usr_ptr, sizeof(args)))
 		return -EINVAL;

-	if (args.timeouts_array_size_out > INCFS_DATA_FILE_BLOCK_SIZE)
+	if (args.timeouts_array_size > INCFS_DATA_FILE_BLOCK_SIZE)
 		return -EINVAL;

-	buffer = kzalloc(args.timeouts_array_size_out, GFP_NOFS);
+	buffer = kzalloc(args.timeouts_array_size, GFP_NOFS);
 	if (!buffer)
 		return -ENOMEM;