Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9466d67c authored by Sathish Ambley's avatar Sathish Ambley
Browse files

msm: ADSPRPC: Check for buffer overflow condition 



The buffer length that is being passed could result in overflow
condition causing invalid memory to be accessed.

Change-Id: I3e23f31b8cb61f8e77d09a39fab4a2d4c222cf25
Signed-off-by: default avatarSathish Ambley <sathishambley@codeaurora.org>
parent 96337de3

drivers/char/adsprpc.c

+14 −4
Original line number Diff line number Diff line
@@ -672,9 +672,9 @@ static int overlap_ptr_cmp(const void *a, const void *b) 
	return st == 0 ? ed : st;

}



static void context_build_overlap(struct smq_invoke_ctx *ctx)

static int context_build_overlap(struct smq_invoke_ctx *ctx)

{

	int i;

	int i, err = 0;

	remote_arg_t *lpra = ctx->lpra;

	int inbufs = REMOTE_SCALARS_INBUFS(ctx->sc);

	int outbufs = REMOTE_SCALARS_OUTBUFS(ctx->sc);
@@ -684,6 +684,11 @@ static void context_build_overlap(struct smq_invoke_ctx *ctx) 
	for (i = 0; i < nbufs; ++i) {

		ctx->overs[i].start = (uintptr_t)lpra[i].buf.pv;

		ctx->overs[i].end = ctx->overs[i].start + lpra[i].buf.len;

		if (lpra[i].buf.len) {

			VERIFY(err, ctx->overs[i].end > ctx->overs[i].start);

			if (err)

				goto bail;

		}

		ctx->overs[i].raix = i;

		ctx->overps[i] = &ctx->overs[i];

	}
@@ -709,6 +714,8 @@ static void context_build_overlap(struct smq_invoke_ctx *ctx) 
			max = *ctx->overps[i];

		}

	}

bail:

	return err;

}



#define K_COPY_FROM_USER(err, kernel, dst, src, size) \
@@ -781,8 +788,11 @@ static int context_alloc(struct fastrpc_file *fl, uint32_t kernel, 
	}



	ctx->sc = invoke->sc;

	if (bufs)

		context_build_overlap(ctx);

	if (bufs) {

		VERIFY(err, 0 == context_build_overlap(ctx));

		if (err)

			goto bail;

	}

	ctx->retval = -1;

	ctx->pid = current->pid;

	ctx->tgid = current->tgid;