Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e61ba983 authored by Vamsi Krishna Gattupalli's avatar Vamsi Krishna Gattupalli
Browse files

msm: adsprpc: Do length check to avoid arbitrary memory access



Do length check while mapping ion buffers to
avoid arbitrary physical memory read on DSP
which can lead to DOS.

Change-Id: I6334d4ceac795595aa3dc4bc71e6c736d2461c51
Signed-off-by: default avatarVamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
parent 7e6242a7
Loading
Loading
Loading
Loading
+2 −1
Original line number Diff line number Diff line
@@ -1846,7 +1846,8 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
				}
				offset = buf_page_start(buf) - vma->vm_start;
				up_read(&current->mm->mmap_sem);
				VERIFY(err, offset < (uintptr_t)map->size);
				VERIFY(err,
					offset + len <= (uintptr_t)map->size);
				if (err)
					goto bail;
			}