Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b59a9f34 authored by Prakruthi Deepak Heragu's avatar Prakruthi Deepak Heragu Committed by Gerrit - the friendly Code Review server
Browse files

haven: hh_rm_iface: Avoid integer overflow for req_payload_size calculation 



There is a possibility for the calculation to overflow when size is large
enough to overflow when added to the size of payload. Ensure that this
overflow is caught early.

Change-Id: I876fbaa704ba51dc4a9e4eb4d3f7f0eaa749e06d
Signed-off-by: default avatarPrakruthi Deepak Heragu <pheragu@codeaurora.org>
Signed-off-by: default avatarSwetha Chikkaboraiah <schikk@codeaurora.org>
parent b4f4115e

drivers/virt/haven/hh_rm_iface.c

+4 −2
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved.

 *

 */
@@ -121,6 +121,8 @@ hh_rm_vm_get_hyp_res(hh_vmid_t vmid, u32 *n_entries) 


	/* The response payload should contain all the resource entries */

	if (resp_payload_size < sizeof(*n_entries) ||

		(sizeof(*n_entries) > (U32_MAX -

		(resp_payload->n_resource_entries * sizeof(*resp_entries)))) ||

		resp_payload_size != sizeof(*n_entries) +

		(resp_payload->n_resource_entries * sizeof(*resp_entries))) {

		pr_err("%s: Invalid size received for GET_HYP_RESOURCES: %u\n",
@@ -614,7 +616,7 @@ int hh_rm_console_write(hh_vmid_t vmid, const char *buf, size_t size) 
	int reply_err_code = 0;

	size_t req_payload_size = sizeof(*req_payload) + size;



	if (size < 1 || size > U32_MAX)

	if (size < 1 || size > (U32_MAX - sizeof(*req_payload)))

		return -EINVAL;



	req_payload = kzalloc(req_payload_size, GFP_KERNEL);