Commit e61ba983 authored Feb 25, 2021 by Vamsi Krishna Gattupalli

msm: adsprpc: Do length check to avoid arbitrary memory access



Do length check while mapping ion buffers to
avoid arbitrary physical memory read on DSP
which can lead to DOS.

Change-Id: I6334d4ceac795595aa3dc4bc71e6c736d2461c51
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>

parent 7e6242a7

drivers/char/adsprpc.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1846,7 +1846,8 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
		}
		offset = buf_page_start(buf) - vma->vm_start;
		up_read(&current->mm->mmap_sem);
		VERIFY(err, offset < (uintptr_t)map->size);
		VERIFY(err,
		offset + len <= (uintptr_t)map->size);
		if (err)
		goto bail;
		}