efi/efi_test: Prevent an Oops in efi_runtime_query_capsulecaps()

If "qcaps.capsule_count" is ULONG_MAX then "qcaps.capsule_count + 1" will overflow to zero and kcalloc() will return the ZERO_SIZE_PTR. We try to dereference it inside the loop and crash. Signed-off-by: Dan Carpenter <[email protected]> Signed-off-by: Matt Fleming <[email protected]> Signed-off-by: Ard Biesheuvel <[email protected]> Acked-by: Ivan Hu <[email protected]> Cc: Linus Torvalds <[email protected]> Cc: Peter Zijlstra <[email protected]> Cc: Thomas Gleixner <[email protected]> Cc: [email protected] Fixes: ff6301dabc3c ("efi: Add efi_test driver for exporting UEFI runtime service interfaces") Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Ingo Molnar <[email protected]>
author: Dan Carpenter <[email protected]> 2017-10-25 11:04:47 +0100
committer: Ingo Molnar <[email protected]> 2017-10-25 12:10:59 +0200
commit: 092e72c9edab16d4d6ad10c683a95047d53b6db4 (patch)
tree: 83b287433e6af410d15432ba9466ca7dc70d01e6
parent: f34157878d3b17641ad2366988600c23c89d98b2 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
index 08129b7b80ab..41c48a1e8baa 100644
--- a/drivers/firmware/efi/test/efi_test.c
+++ b/drivers/firmware/efi/test/efi_test.c
@@ -593,6 +593,9 @@ static long efi_runtime_query_capsulecaps(unsigned long arg)
 	if (copy_from_user(&qcaps, qcaps_user, sizeof(qcaps)))
 		return -EFAULT;
 
+	if (qcaps.capsule_count == ULONG_MAX)
+		return -EINVAL;
+
 	capsules = kcalloc(qcaps.capsule_count + 1,
 			   sizeof(efi_capsule_header_t), GFP_KERNEL);
 	if (!capsules)
author	Dan Carpenter <[email protected]>	2017-10-25 11:04:47 +0100
committer	Ingo Molnar <[email protected]>	2017-10-25 12:10:59 +0200
commit	092e72c9edab16d4d6ad10c683a95047d53b6db4 (patch)
tree	83b287433e6af410d15432ba9466ca7dc70d01e6
parent	f34157878d3b17641ad2366988600c23c89d98b2 (diff)