Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7c0d5200 authored by Gaurav Kashyap's avatar Gaurav Kashyap Committed by Pranav Lavhate
Browse files

qcedev: check num_fds during unmap 



check the num_fds passed into unmap buf ioctl,
or else it can lead to an out of bounds access.

Test: Build compilation. qcedev tests.

Change-Id: Ia6c0df1d630f4ff1d93d782d68e2a17edfb4d229
Signed-off-by: default avatarGaurav Kashyap <quic_gaurkash@quicinc.com>
Signed-off-by: default avatarPranav Lavhate <quic_plavhate@quicinc.com>
parent 3909c0b8

drivers/crypto/msm/qcedev.c

+9 −1
Original line number Diff line number Diff line
@@ -1915,7 +1915,9 @@ static inline long qcedev_ioctl(struct file *file, 
				goto exit_free_qcedev_areq;

			}



			if (map_buf.num_fds > QCEDEV_MAX_BUFFERS) {

			if (map_buf.num_fds > ARRAY_SIZE(map_buf.fd)) {

				pr_err("%s: err: num_fds = %d exceeds max value\n",

				__func__, map_buf.num_fds);

				err = -EINVAL;

				goto exit_free_qcedev_areq;

			}
@@ -1955,6 +1957,12 @@ static inline long qcedev_ioctl(struct file *file, 
				err = -EFAULT;

				goto exit_free_qcedev_areq;

			}

			if (unmap_buf.num_fds > ARRAY_SIZE(unmap_buf.fd)) {

				pr_err("%s: err: num_fds = %d exceeds max value\n",

				__func__, unmap_buf.num_fds);

				err = -EINVAL;

				goto exit_free_qcedev_areq;

			}



			for (i = 0; i < unmap_buf.num_fds; i++) {

				err = qcedev_check_and_unmap_buffer(handle,