Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cfc3db05 authored Sep 07, 2017 by Mohammed Javid

msm:ipa: Fix to slab out of bounds access



Accessing of incorrect structure pointer is causing
slab-out-of-bounds access, fixed issue by accessing
the correct structure pointer.

Change-Id: I23d3c9afbbabba88be92ef5cae83c4708a211e88
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

parent f035a4ad

drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -900,10 +900,11 @@ static ssize_t ipa3_read_flt(struct file file, char __user ubuf, size_t count,
		eq = true;
		} else {
		rt_tbl = ipa3_id_find(entry->rule.rt_tbl_hdl);
		if (rt_tbl)
		rt_tbl_idx = rt_tbl->idx;
		else
		if (rt_tbl == NULL \|\|
		rt_tbl->cookie != IPA_RT_TBL_COOKIE)
		rt_tbl_idx = ~0;
		else
		rt_tbl_idx = rt_tbl->idx;
		bitmap = entry->rule.attrib.attrib_mask;
		eq = false;
		}

drivers/platform/msm/ipa/ipa_v3/ipa_flt.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -1167,6 +1167,13 @@ int ipa3_add_flt_rule_after(struct ipa_ioc_add_flt_rule_after *rules)
		goto bail;
		}

		if (entry->cookie != IPA_FLT_COOKIE) {
		IPAERR_RL("Invalid cookie value = %u flt hdl id = %d\n",
		entry->cookie, rules->add_after_hdl);
		result = -EINVAL;
		goto bail;
		}

		if (entry->tbl != tbl) {
		IPAERR_RL("given entry does not match the table\n");
		result = -EINVAL;

drivers/platform/msm/ipa/ipa_v3/ipa_rt.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -1138,6 +1138,13 @@ int ipa3_add_rt_rule_after(struct ipa_ioc_add_rt_rule_after *rules)
		goto bail;
		}

		if (entry->cookie != IPA_RT_RULE_COOKIE) {
		IPAERR_RL("Invalid cookie value = %u rule %d in rt tbls\n",
		entry->cookie, rules->add_after_hdl);
		ret = -EINVAL;
		goto bail;
		}

		if (entry->tbl != tbl) {
		IPAERR_RL("given rt rule does not match the table\n");
		ret = -EINVAL;