From 5bf3e63d8a668172e6542f22c2df806863f32544 Mon Sep 17 00:00:00 2001 From: CheckYourScreen Date: Thu, 27 Oct 2016 12:25:37 +0200 Subject: [PATCH] net: ipc_router: Bind only a client port as control port (fix CVE-2016-2059) IPC Router binds any port as a control port and moves it from the client port list to control port list. Misbehaving clients can exploit this incorrect behavior. IPC Router to check if the port is a client port before binding it as a control port. Signed-off-by: CheckYourScreen --- arch/arm/mach-msm/ipc_router.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/mach-msm/ipc_router.c b/arch/arm/mach-msm/ipc_router.c index fa9546984c39..c06fd80902ef 100644 --- a/arch/arm/mach-msm/ipc_router.c +++ b/arch/arm/mach-msm/ipc_router.c @@ -2853,7 +2853,7 @@ int msm_ipc_router_get_curr_pkt_size(struct msm_ipc_port *port_ptr) int msm_ipc_router_bind_control_port(struct msm_ipc_port *port_ptr) { - if (!port_ptr) + if (unlikely(!port_ptr || port_ptr->type != CLIENT_PORT)) return -EINVAL; down_write(&local_ports_lock_lha2);