Information

The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_router_core.c in the IPC router kernel module for the Linux kernel 3.x does not verify that a port is a client port. This allows an attacker to gain privileges or cause a denial of service by making many BIND_CONTROL_PORT ioctl calls.

Patch

diff --git a/net/ipc_router/ipc_router_core.c b/net/ipc_router/ipc_router_core.c
index 99486e9..3100ebd 100644
--- a/net/ipc_router/ipc_router_core.c
+++ b/net/ipc_router/ipc_router_core.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -3532,7 +3532,7 @@ int msm_ipc_router_get_curr_pkt_size(struct msm_ipc_port *port_ptr)
 
 int msm_ipc_router_bind_control_port(struct msm_ipc_port *port_ptr)
 {
-   if (!port_ptr)
+   if (unlikely(!port_ptr || port_ptr->type != CLIENT_PORT))
        return -EINVAL;
 
    down_write(&local_ports_lock_lhc2);


References:
https://source.android.com/security/bulletin/2016-10-01.html
https://blog.checkpoint.com/2016/08/07/quadrooter/