Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1b598105 authored by Skylar Chang's avatar Skylar Chang Committed by Mohammed Javid
Browse files

msm: IPA: add the check on intf query 



The ipa_ioc_query_intf_rx_props structure comes
from the ioctl handler, and it is verified that
the size of rx buffer does not exceed the
IPA_NUM_PROPS_MAX elements. It is also verified
that the "entry->rx" buffer does not exceed
IPA_NUM_PROPS_MAX when "entry" is allocated.
However, the sizes of the buffer "rx->rx" and
the buffer "entry->rx" are not guaranteed to
be the same and will lead memory corruption
issue. The fix is to add the check before
memcpy.

Change-Id: Idf5c2d32f47c1a1cffeaa5607193855188893ddb
Acked-by: default avatarAshok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: default avatarSkylar Chang <chiaweic@codeaurora.org>
Signed-off-by: default avatarMohammed Javid <mjavid@codeaurora.org>
parent ffd90498

drivers/platform/msm/ipa/ipa_v2/ipa_intf.c

+24 −0
Original line number Diff line number Diff line
@@ -271,6 +271,14 @@ int ipa_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx) 
	mutex_lock(&ipa_ctx->lock);

	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {

		if (!strcmp(entry->name, tx->name)) {

			/* add the entry check */

			if (entry->num_tx_props != tx->num_tx_props) {

				IPAERR("invalid entry number(%u %u)\n",

					entry->num_tx_props,

						tx->num_tx_props);

				mutex_unlock(&ipa_ctx->lock);

				return result;

			}

			memcpy(tx->tx, entry->tx, entry->num_tx_props *

			       sizeof(struct ipa_ioc_tx_intf_prop));

			result = 0;
@@ -304,6 +312,14 @@ int ipa_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx) 
	mutex_lock(&ipa_ctx->lock);

	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {

		if (!strcmp(entry->name, rx->name)) {

			/* add the entry check */

			if (entry->num_rx_props != rx->num_rx_props) {

				IPAERR("invalid entry number(%u %u)\n",

					entry->num_rx_props,

						rx->num_rx_props);

				mutex_unlock(&ipa_ctx->lock);

				return result;

			}

			memcpy(rx->rx, entry->rx, entry->num_rx_props *

					sizeof(struct ipa_ioc_rx_intf_prop));

			result = 0;
@@ -337,6 +353,14 @@ int ipa_query_intf_ext_props(struct ipa_ioc_query_intf_ext_props *ext) 
	mutex_lock(&ipa_ctx->lock);

	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {

		if (!strcmp(entry->name, ext->name)) {

			/* add the entry check */

			if (entry->num_ext_props != ext->num_ext_props) {

				IPAERR("invalid entry number(%u %u)\n",

					entry->num_ext_props,

						ext->num_ext_props);

				mutex_unlock(&ipa_ctx->lock);

				return result;

			}

			memcpy(ext->ext, entry->ext, entry->num_ext_props *

					sizeof(struct ipa_ioc_ext_intf_prop));

			result = 0;

drivers/platform/msm/ipa/ipa_v3/ipa_intf.c

+24 −0
Original line number Diff line number Diff line
@@ -275,6 +275,14 @@ int ipa3_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx) 
	mutex_lock(&ipa3_ctx->lock);

	list_for_each_entry(entry, &ipa3_ctx->intf_list, link) {

		if (!strcmp(entry->name, tx->name)) {

			/* add the entry check */

			if (entry->num_tx_props != tx->num_tx_props) {

				IPAERR("invalid entry number(%u %u)\n",

					entry->num_tx_props,

						tx->num_tx_props);

				mutex_unlock(&ipa3_ctx->lock);

				return result;

			}

			memcpy(tx->tx, entry->tx, entry->num_tx_props *

			       sizeof(struct ipa_ioc_tx_intf_prop));

			result = 0;
@@ -314,6 +322,14 @@ int ipa3_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx) 
	mutex_lock(&ipa3_ctx->lock);

	list_for_each_entry(entry, &ipa3_ctx->intf_list, link) {

		if (!strcmp(entry->name, rx->name)) {

			/* add the entry check */

			if (entry->num_rx_props != rx->num_rx_props) {

				IPAERR("invalid entry number(%u %u)\n",

					entry->num_rx_props,

						rx->num_rx_props);

				mutex_unlock(&ipa3_ctx->lock);

				return result;

			}

			memcpy(rx->rx, entry->rx, entry->num_rx_props *

					sizeof(struct ipa_ioc_rx_intf_prop));

			result = 0;
@@ -348,6 +364,14 @@ int ipa3_query_intf_ext_props(struct ipa_ioc_query_intf_ext_props *ext) 
	mutex_lock(&ipa3_ctx->lock);

	list_for_each_entry(entry, &ipa3_ctx->intf_list, link) {

		if (!strcmp(entry->name, ext->name)) {

			/* add the entry check */

			if (entry->num_ext_props != ext->num_ext_props) {

				IPAERR("invalid entry number(%u %u)\n",

					entry->num_ext_props,

						ext->num_ext_props);

				mutex_unlock(&ipa3_ctx->lock);

				return result;

			}

			memcpy(ext->ext, entry->ext, entry->num_ext_props *

					sizeof(struct ipa_ioc_ext_intf_prop));

			result = 0;