Commit 16981742 authored by Todd Kjos's avatar Todd Kjos Committed by Greg Kroah-Hartman
Browse files

binder: fix incorrect calculation for num_valid

For BINDER_TYPE_PTR and BINDER_TYPE_FDA transactions, the
num_valid local was calculated incorrectly causing the
range check in binder_validate_ptr() to miss out-of-bounds

Fixes: bde4a19f

 ("binder: use userspace pointer as base of buffer space")
Signed-off-by: default avatarTodd Kjos <>
Cc: stable <>

Signed-off-by: default avatarGreg Kroah-Hartman <>
parent 3e42fe5c
......@@ -3310,7 +3310,7 @@ static void binder_transaction(struct binder_proc *proc,
binder_size_t parent_offset;
struct binder_fd_array_object *fda =
size_t num_valid = (buffer_offset - off_start_offset) *
size_t num_valid = (buffer_offset - off_start_offset) /
struct binder_buffer_object *parent =
binder_validate_ptr(target_proc, t->buffer,
......@@ -3384,7 +3384,7 @@ static void binder_transaction(struct binder_proc *proc,
t->buffer->user_data + sg_buf_offset;
sg_buf_offset += ALIGN(bp->length, sizeof(u64));
num_valid = (buffer_offset - off_start_offset) *
num_valid = (buffer_offset - off_start_offset) /
ret = binder_fixup_parent(t, thread, bp,
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment