Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit af0231d9 authored by Manoj Prabhu B's avatar Manoj Prabhu B Committed by Gerrit - the friendly Code Review server
Browse files

diag: Sanitize the mempools with pool data size check 



When allocating mempool memory sanitize the size check against
the pool data size. Update the pool data size as well whenever
itemsize is updated.

Change-Id: I7c426cfe35c35d5c2e7e5eefae710215097fbea0
Signed-off-by: default avatarManoj Prabhu B <bmanoj@codeaurora.org>
parent df15953d

drivers/char/diag/diagchar_core.c

+7 −5
Original line number Diff line number Diff line 
/* Copyright (c) 2008-2020, The Linux Foundation. All rights reserved.

/* Copyright (c) 2008-2021, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -1996,13 +1996,15 @@ static int diag_switch_logging(struct diag_logging_mode_param_t *param) 
				driver->pcie_switch_pid = current->tgid;

			}

			if (new_mode == DIAG_PCIE_MODE) {

				driver->transport_set = DIAG_ROUTE_TO_PCIE;

				driver->transport_set =

					DIAG_ROUTE_TO_PCIE;

				diagmem_setsize(POOL_TYPE_MUX_APPS,

					itemsize_pcie_apps,

					(poolsize_pcie_apps + 1 +

						(NUM_PERIPHERALS * 6)));

			} else if (new_mode == DIAG_USB_MODE) {

				driver->transport_set = DIAG_ROUTE_TO_USB;

				driver->transport_set =

					DIAG_ROUTE_TO_USB;

				diagmem_setsize(POOL_TYPE_MUX_APPS,

					itemsize_usb_apps,

					(poolsize_usb_apps + 1 +
@@ -4400,7 +4402,7 @@ static void diag_init_transport(void) 
	 * The number of buffers encompasses Diag data generated on

	 * the Apss processor + 1 for the responses generated

	 * exclusively on the Apps processor + data from data channels

	 *(4 channels periperipheral) + data from command channels (2)

	 *(4 channels per peripheral) + data from command channels (2)

	 */

	diagmem_setsize(POOL_TYPE_MUX_APPS, itemsize_pcie_apps,

		poolsize_pcie_apps + 1 + (NUM_PERIPHERALS * 6));
@@ -4419,7 +4421,7 @@ static void diag_init_transport(void) 
	 * The number of buffers encompasses Diag data generated on

	 * the Apss processor + 1 for the responses generated

	 * exclusively on the Apps processor + data from data channels

	 *(4 channels periperipheral) + data from command channels (2)

	 *(4 channels per peripheral) + data from command channels (2)

	 */

	diagmem_setsize(POOL_TYPE_MUX_APPS, itemsize_usb_apps,

		poolsize_usb_apps + 1 + (NUM_PERIPHERALS * 6));

drivers/char/diag/diagmem.c

+6 −2
Original line number Diff line number Diff line 
/* Copyright (c) 2008-2014, 2016-2017, 2019 The Linux Foundation. All rights reserved.

/* Copyright (c) 2008-2014, 2016-2017, 2019, 2021 The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -152,6 +152,9 @@ void diagmem_setsize(int pool_idx, int itemsize, int poolsize) 
	}



	diag_mempools[pool_idx].itemsize = itemsize;

	if (diag_mempools[pool_idx].pool)

		diag_mempools[pool_idx].pool->pool_data =

			(void *)(uintptr_t)itemsize;

	diag_mempools[pool_idx].poolsize = poolsize;

	pr_debug("diag: Mempool %s sizes: itemsize %d poolsize %d\n",

		 diag_mempools[pool_idx].name, diag_mempools[pool_idx].itemsize,
@@ -177,7 +180,8 @@ void *diagmem_alloc(struct diagchar_dev *driver, int size, int pool_type) 
					   mempool->name);

			break;

		}

		if (size == 0 || size > mempool->itemsize) {

		if (size == 0 || size > mempool->itemsize ||

			size > (int)mempool->pool->pool_data) {

			pr_err_ratelimited("diag: cannot alloc from mempool %s, invalid size: %d\n",

					   mempool->name, size);

			break;