Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 013c2977 authored by Jeya R's avatar Jeya R
Browse files

msm: adsprpc: Do length check to avoid arbitrary memory access 



Do length check while mapping ion buffers to
avoid arbitrary physical memory read on DSP
which can lead to DOS.

Change-Id: I6334d4ceac795595aa3dc4bc71e6c736d2461c51
Acked-by: default avatarDeepika Singh <dsi@qti.qualcomm.com>
Signed-off-by: default avatarJeya R <jeyr@codeaurora.org>
parent cfc04e49

drivers/char/adsprpc.c

+1 −1
Original line number Diff line number Diff line
@@ -2397,7 +2397,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) 
				}

				offset = buf_page_start(buf) - vma->vm_start;

				up_read(&current->mm->mmap_sem);

				VERIFY(err, offset < (uintptr_t)map->size);

				VERIFY(err, offset + len <= (uintptr_t)map->size);

				if (err) {

					ADSPRPC_ERR(

						"buffer address is invalid for the fd passed for %d address 0x%llx and size %zu\n",