efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps()urgent

If "qcaps.capsule_count" is ULONG_MAX then "qcaps.capsule_count + 1" will overflow to zero and kcalloc() will return the ZERO_SIZE_PTR. We try to dereference it inside the loop and crash. Fixes: ff6301dabc3c ("efi: Add efi_test driver for exporting UEFI runtime service interfaces") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Ivan Hu <ivan.hu@canonical.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
author: Dan Carpenter <dan.carpenter@oracle.com> 2017-09-30 11:17:32 +0300
committer: Matt Fleming <matt@codeblueprint.co.uk> 2017-10-11 10:33:52 +0100
commit: 9f1b07fee513a9a5d36677e5464874dfe7d49e52 (patch)
tree: 6477116322a0c3a10991bdef2870a4eba195b26b
parent: 0a97e704d93fe4facf2bffe3c78095b9d441df42 (diff)
download: efi-urgent.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
index 8cd578f620594..c2da6424fa7e5 100644
--- a/drivers/firmware/efi/test/efi_test.c
+++ b/drivers/firmware/efi/test/efi_test.c
@@ -598,6 +598,9 @@ static long efi_runtime_query_capsulecaps(unsigned long arg)
 	if (copy_from_user(&qcaps, qcaps_user, sizeof(qcaps)))
 		return -EFAULT;
 
+	if (qcaps.capsule_count == ULONG_MAX)
+		return -EINVAL;
+
 	capsules = kcalloc(qcaps.capsule_count + 1,
 			   sizeof(efi_capsule_header_t), GFP_KERNEL);
 	if (!capsules)
author	Dan Carpenter <dan.carpenter@oracle.com>	2017-09-30 11:17:32 +0300
committer	Matt Fleming <matt@codeblueprint.co.uk>	2017-10-11 10:33:52 +0100
commit	9f1b07fee513a9a5d36677e5464874dfe7d49e52 (patch)
tree	6477116322a0c3a10991bdef2870a4eba195b26b
parent	0a97e704d93fe4facf2bffe3c78095b9d441df42 (diff)
download	efi-urgent.tar.gz