Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 860b36b8 authored by Gaurav Kashyap's avatar Gaurav Kashyap Committed by Gerrit - the friendly Code Review server
Browse files

qcedev: check num_fds during unmap 



check the num_fds passed into unmap buf ioctl,
or else it can lead to an out of bounds access.

Test: Build compilation. qcedev tests.

Change-Id: I206ba01dfa989346ade769a0f68b372b21f84043
Signed-off-by: default avatarGaurav Kashyap <quic_gaurkash@quicinc.com>
Signed-off-by: default avatarPranav Lavhate <quic_plavhate@quicinc.com>
parent 4e4f2b2b

drivers/crypto/msm/qcedev.c

+9 −1
Original line number Diff line number Diff line
@@ -2036,7 +2036,9 @@ static inline long qcedev_ioctl(struct file *file, 
				goto exit_free_qcedev_areq;

			}



			if (map_buf.num_fds > QCEDEV_MAX_BUFFERS) {

			if (map_buf.num_fds > ARRAY_SIZE(map_buf.fd)) {

				pr_err("%s: err: num_fds = %d exceeds max value\n",

				__func__, map_buf.num_fds);

				err = -EINVAL;

				goto exit_free_qcedev_areq;

			}
@@ -2076,6 +2078,12 @@ static inline long qcedev_ioctl(struct file *file, 
				err = -EFAULT;

				goto exit_free_qcedev_areq;

			}

			if (unmap_buf.num_fds > ARRAY_SIZE(unmap_buf.fd)) {

				pr_err("%s: err: num_fds = %d exceeds max value\n",

				__func__, unmap_buf.num_fds);

				err = -EINVAL;

				goto exit_free_qcedev_areq;

			}



			for (i = 0; i < unmap_buf.num_fds; i++) {

				err = qcedev_check_and_unmap_buffer(handle,