Unverified Commit 25d9fa98 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!6755 binder: check offset alignment in binder_get_object() 

Merge Pull Request from: @ci-robot 
 
PR sync from: Lin Yujun <linyujun809@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/WHFWRD572AJAKRRKSGS5N7XIG6JIP32T/ 
 
https://gitee.com/src-openeuler/kernel/issues/I9JJ2F 
 
Link:https://gitee.com/openeuler/kernel/pulls/6755

 

Reviewed-by: default avatarZhang Jianhua <chris.zjh@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 54f3df6b 2377497f

drivers/android/binder.c

+3 −1
Original line number Diff line number Diff line
@@ -2042,8 +2042,10 @@ static size_t binder_get_object(struct binder_proc *proc, 
	size_t object_size = 0;



	read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);

	if (offset > buffer->data_size || read_size < sizeof(*hdr))

	if (offset > buffer->data_size || read_size < sizeof(*hdr) ||

	    !IS_ALIGNED(offset, sizeof(u32)))

		return 0;



	if (u) {

		if (copy_from_user(object, u + offset, read_size))

			return 0;