forked from mirrors/linux
bb4a2e48d5
The buffer copy functions assumed the caller would ensure
correct alignment and that the memory to be copied was
completely within the binder buffer. There have been
a few cases discovered by syzkallar where a malformed
transaction created by a user could violated the
assumptions and resulted in a BUG_ON.
The fix is to remove the BUG_ON and always return the
error to be handled appropriately by the caller.
Acked-by: Martijn Coenen <maco@android.com>
Reported-by: syzbot+3ae18325f96190606754@syzkaller.appspotmail.com
Fixes:
|
||
|---|---|---|
| .. | ||
| binder.c | ||
| binder_alloc.c | ||
| binder_alloc.h | ||
| binder_alloc_selftest.c | ||
| binder_internal.h | ||
| binder_trace.h | ||
| binderfs.c | ||
| Kconfig | ||
| Makefile | ||