Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 380dc4af authored by Alex Elder's avatar Alex Elder Committed by Andy Gross
Browse files

soc: qcom: smem: verify partition offset_free_uncached 



Add verification in qcom_smem_partition_header() that the
offset_free_uncached field in a partition's header structure does
not exceed the partition's size.

Signed-off-by: default avatarAlex Elder <elder@linaro.org>
Signed-off-by: default avatarAndy Gross <andy.gross@linaro.org>
parent 190b216c

drivers/soc/qcom/smem.c

+7 −14
Original line number Diff line number Diff line
@@ -751,6 +751,12 @@ qcom_smem_partition_header(struct qcom_smem *smem, 
		return NULL;

	}



	if (le32_to_cpu(header->offset_free_uncached) > size) {

		dev_err(smem->dev, "bad partition free uncached (%u > %u)\n",

			le32_to_cpu(header->offset_free_uncached), size);

		return NULL;

	}



	return header;

}
@@ -759,7 +765,7 @@ static int qcom_smem_set_global_partition(struct qcom_smem *smem) 
	struct smem_partition_header *header;

	struct smem_ptable_entry *entry;

	struct smem_ptable *ptable;

	u32 host0, host1, size;

	u32 host0, host1;

	bool found = false;

	int i;
@@ -804,13 +810,6 @@ static int qcom_smem_set_global_partition(struct qcom_smem *smem) 
		return -EINVAL;

	}



	size = le32_to_cpu(header->offset_free_uncached);

	if (size > le32_to_cpu(header->size)) {

		dev_err(smem->dev,

			"Global partition has invalid free pointer\n");

		return -EINVAL;

	}



	smem->global_partition = header;

	smem->global_cacheline = le32_to_cpu(entry->cacheline);
@@ -874,12 +873,6 @@ static int qcom_smem_enumerate_partitions(struct qcom_smem *smem, 
			return -EINVAL;

		}



		if (le32_to_cpu(header->offset_free_uncached) > le32_to_cpu(header->size)) {

			dev_err(smem->dev,

				"Partition %d has invalid free pointer\n", i);

			return -EINVAL;

		}



		smem->partitions[remote_host] = header;

		smem->cacheline[remote_host] = le32_to_cpu(entry->cacheline);

	}