Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 30d7dbe9 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "soc: qcom: scm: add check to avoid buffer overflow"

parents daa76527 b432915a
Loading
Loading
Loading
Loading
+12 −6
Original line number Diff line number Diff line
@@ -56,9 +56,16 @@ DEFINE_MUTEX(scm_lmh_lock);
#define SMC_ATOMIC_MASK 0x80000000
#define IS_CALL_AVAIL_CMD 1

#define SCM_BUF_LEN(__cmd_size, __resp_size)	\
	(sizeof(struct scm_command) + sizeof(struct scm_response) + \
		__cmd_size + __resp_size)
#define SCM_BUF_LEN(__cmd_size, __resp_size) ({ \
	size_t x =  __cmd_size + __resp_size; \
	size_t y = sizeof(struct scm_command) + sizeof(struct scm_response); \
	size_t result; \
	if (x < __cmd_size || (x + y) < x) \
		result = 0; \
	else \
		result = x + y; \
	result; \
	})
/**
 * struct scm_command - one SCM command buffer
 * @len: total available memory for command and response
@@ -357,8 +364,7 @@ int scm_call_noalloc(u32 svc_id, u32 cmd_id, const void *cmd_buf,
	int ret;
	size_t len = SCM_BUF_LEN(cmd_len, resp_len);

	if (cmd_len > scm_buf_len || resp_len > scm_buf_len ||
	    len > scm_buf_len)
	if (len == 0)
		return -EINVAL;

	if (!IS_ALIGNED((unsigned long)scm_buf, PAGE_SIZE))
@@ -783,7 +789,7 @@ int scm_call(u32 svc_id, u32 cmd_id, const void *cmd_buf, size_t cmd_len,
	int ret;
	size_t len = SCM_BUF_LEN(cmd_len, resp_len);

	if (cmd_len > len || resp_len > len)
	if (len == 0 || PAGE_ALIGN(len) < len)
		return -EINVAL;

	cmd = kzalloc(PAGE_ALIGN(len), GFP_KERNEL);