Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ebdc05e6 authored by Edgar Flores's avatar Edgar Flores Committed by vgattupa
Browse files

msm: ADSPRPC: Fix buffer length for capability API 



Buffer size was being set incorrectly. Buffer length for dsp attributes
was being set to 4 times its actual buffer size. This was causing
stack-out-of-bounds when trying to copy back the buffer on function
put_args.
Fix is to set buffer length to the correct buffer size of dsp attributes.

Change-Id: I755034ca503d58443fa6f14bf03c18d448b290b4
Signed-off-by: default avatarEdgar Flores <edgarf@codeaurora.org>
parent cb770397

drivers/char/adsprpc.c

+9 −9
Original line number Diff line number Diff line
@@ -2432,10 +2432,11 @@ static int fastrpc_init_process(struct fastrpc_file *fl, 
}



static int fastrpc_get_info_from_dsp(struct fastrpc_file *fl,

				uint32_t *dsp_attr, uint32_t dsp_attr_size,

				uint32_t *dsp_attr_buf,

				uint32_t dsp_attr_buf_len,

				uint32_t domain)

{

	int err = 0, dsp_cap_buff_size, dsp_support = 0;

	int err = 0, dsp_support = 0;

	struct fastrpc_ioctl_invoke_crc ioctl;

	remote_arg_t ra[2];

	struct fastrpc_apps *me = &gfa;
@@ -2455,7 +2456,7 @@ static int fastrpc_get_info_from_dsp(struct fastrpc_file *fl, 
		dsp_support = 0;

		break;

	}

	dsp_attr[0] = dsp_support;

	dsp_attr_buf[0] = dsp_support;



	if (dsp_support == 0) {

		err = -ENOTCONN;
@@ -2466,11 +2467,10 @@ static int fastrpc_get_info_from_dsp(struct fastrpc_file *fl, 
	if (err)

		goto bail;



	dsp_cap_buff_size = dsp_attr_size - sizeof(uint32_t);

	ra[0].buf.pv = (void *)&dsp_cap_buff_size;

	ra[0].buf.len = sizeof(dsp_cap_buff_size);

	ra[1].buf.pv = (void *)(&dsp_attr[1]);

	ra[1].buf.len = dsp_cap_buff_size * sizeof(uint32_t);

	ra[0].buf.pv = (void *)&dsp_attr_buf_len;

	ra[0].buf.len = sizeof(dsp_attr_buf_len);

	ra[1].buf.pv = (void *)(&dsp_attr_buf[1]);

	ra[1].buf.len = dsp_attr_buf_len * sizeof(uint32_t);

	ioctl.inv.handle = FASTRPC_STATIC_HANDLE_DSP_UTILITIES;

	ioctl.inv.sc = REMOTE_SCALARS_MAKE(0, 1, 1);

	ioctl.inv.pra = ra;
@@ -2502,7 +2502,7 @@ static int fastrpc_get_info_from_kernel( 
		 * and cache on kernel

		 */

		err = fastrpc_get_info_from_dsp(fl, dsp_cap->dsp_attributes,

				sizeof(dsp_cap->dsp_attributes),

				FASTRPC_MAX_DSP_ATTRIBUTES - 1,

				domain);

		if (err)

			goto bail;