Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c59bd17c authored by Manoj Prabhu B's avatar Manoj Prabhu B
Browse files

diag: Sanitize the mempools with pool data size check 



When allocating mempool memory sanitize the size check against
the pool data size. Update the pool data size as well whenever
itemsize is updated.

Change-Id: I7c426cfe35c35d5c2e7e5eefae710215097fbea0
Signed-off-by: default avatarManoj Prabhu B <bmanoj@codeaurora.org>
parent 32c56a57

drivers/char/diag/diagmem.c

+6 −2
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/* Copyright (c) 2008-2014, 2016-2019 The Linux Foundation. All rights reserved.

/* Copyright (c) 2008-2014, 2016-2019, 2021 The Linux Foundation. All rights reserved.

 */



#include <linux/init.h>
@@ -143,6 +143,9 @@ void diagmem_setsize(int pool_idx, int itemsize, int poolsize) 
	}



	diag_mempools[pool_idx].itemsize = itemsize;

	if (diag_mempools[pool_idx].pool)

		diag_mempools[pool_idx].pool->pool_data =

			(void *)(uintptr_t)itemsize;

	diag_mempools[pool_idx].poolsize = poolsize;

	pr_debug("diag: Mempool %s sizes: itemsize %d poolsize %d\n",

		 diag_mempools[pool_idx].name, diag_mempools[pool_idx].itemsize,
@@ -168,7 +171,8 @@ void *diagmem_alloc(struct diagchar_dev *driver, int size, int pool_type) 
					   mempool->name);

			break;

		}

		if (size == 0 || size > mempool->itemsize) {

		if (size == 0 || size > mempool->itemsize ||

			size > (int)mempool->pool->pool_data) {

			pr_err_ratelimited("diag: cannot alloc from mempool %s, invalid size: %d\n",

					   mempool->name, size);

			break;