Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5292eead authored by Fred Oh's avatar Fred Oh
Browse files

ASoc: msm: qdsp6v2: add vm page offset validation 



Lack of range validation can lead wrong mapping or expose arbitrary
memory page to userspace

Change-Id: I8c6eb1b7255d444bffd9d3748ca4815b11bdf16a
Signed-off-by: default avatarFred Oh <fred@codeaurora.org>
parent b4084af2

arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c

+7 −0
Original line number Diff line number Diff line
@@ -275,6 +275,7 @@ int msm_audio_ion_mmap(struct audio_buffer *ab, 
	} else {

		ion_phys_addr_t phys_addr;

		size_t phys_len;

		size_t va_len = 0;

		pr_debug("%s: page is NULL\n", __func__);



		ret = ion_phys(ab->client, ab->handle, &phys_addr, &phys_len);
@@ -288,6 +289,12 @@ int msm_audio_ion_mmap(struct audio_buffer *ab, 
			vma, (unsigned int)vma->vm_start,

			(unsigned int)vma->vm_end, vma->vm_pgoff,

			(unsigned long int)vma->vm_page_prot);

		va_len = vma->vm_end - vma->vm_start;

		if ((offset > phys_len) || (va_len > phys_len-offset)) {

			pr_err("wrong offset size %ld, lens= %d, va_len=%d\n",

				offset, phys_len, va_len);

			return -EINVAL;

		}

		ret =  remap_pfn_range(vma, vma->vm_start,

				__phys_to_pfn(phys_addr) + vma->vm_pgoff,

				vma->vm_end - vma->vm_start,