evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: ipa3: Fix to validate the user inputs

Browse source 
Adding code changes to validate user inputs.
Before allocating the NAT entry verifying the
NAT entry size in range or not.

Change-Id: I21147f20a12243af5d21aebdc206703964db2be4
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
This commit is contained in:
Mohammed Javid 2018-10-08 20:04:48 +05:30 committed by Gerrit - the friendly Code Review server
parent 36ffd181f1
commit 25611b44f1
2 changed files with 28 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
drivers/platform/msm/ipa/ipa_v2/ipa_nat.c
View file

@ -35,6 +35,13 @@ enum nat_table_type {
#define NAT_TABLE_ENTRY_SIZE_BYTE 32 #define NAT_TABLE_ENTRY_SIZE_BYTE 32
#define NAT_INTEX_TABLE_ENTRY_SIZE_BYTE 4 #define NAT_INTEX_TABLE_ENTRY_SIZE_BYTE 4
/*
* Max NAT table entries is limited 1000 entries.
* Limit the memory size required by user to prevent kernel memory starvation
*/
#define IPA_TABLE_MAX_ENTRIES 1000
#define MAX_ALLOC_NAT_SIZE (IPA_TABLE_MAX_ENTRIES * NAT_TABLE_ENTRY_SIZE_BYTE)
static int ipa_nat_vma_fault_remap( static int ipa_nat_vma_fault_remap(
struct vm_area_struct *vma, struct vm_fault *vmf) struct vm_area_struct *vma, struct vm_fault *vmf)
{ {
@ -270,6 +277,13 @@ int ipa2_allocate_nat_device(struct ipa_ioc_nat_alloc_mem *mem)
goto bail; goto bail;
} }
if (mem->size > MAX_ALLOC_NAT_SIZE) {
IPAERR("Trying allocate more size = %zu, Max allowed = %d\n",
mem->size, MAX_ALLOC_NAT_SIZE);
result = -EPERM;
goto bail;
}
if (mem->size <= 0 || if (mem->size <= 0 ||
nat_ctx->is_dev_init == true) { nat_ctx->is_dev_init == true) {
IPAERR_RL("Invalid Parameters or device is already init\n"); IPAERR_RL("Invalid Parameters or device is already init\n");

14
drivers/platform/msm/ipa/ipa_v3/ipa_nat.c
View file

@ -34,6 +34,13 @@ enum nat_table_type {
#define NAT_TABLE_ENTRY_SIZE_BYTE 32 #define NAT_TABLE_ENTRY_SIZE_BYTE 32
#define NAT_INTEX_TABLE_ENTRY_SIZE_BYTE 4 #define NAT_INTEX_TABLE_ENTRY_SIZE_BYTE 4
/*
* Max NAT table entries is limited 1000 entries.
* Limit the memory size required by user to prevent kernel memory starvation
*/
#define IPA_TABLE_MAX_ENTRIES 1000
#define MAX_ALLOC_NAT_SIZE (IPA_TABLE_MAX_ENTRIES * NAT_TABLE_ENTRY_SIZE_BYTE)
static int ipa3_nat_vma_fault_remap( static int ipa3_nat_vma_fault_remap(
struct vm_area_struct *vma, struct vm_fault *vmf) struct vm_area_struct *vma, struct vm_fault *vmf)
{ {
@ -272,6 +279,13 @@ int ipa3_allocate_nat_device(struct ipa_ioc_nat_alloc_mem *mem)
goto bail; goto bail;
} }
if (mem->size > MAX_ALLOC_NAT_SIZE) {
IPAERR("Trying allocate more size = %zu, Max allowed = %d\n",
mem->size, MAX_ALLOC_NAT_SIZE);
result = -EPERM;
goto bail;
}
if (mem->size <= 0 || if (mem->size <= 0 ||
nat_ctx->is_dev_init == true) { nat_ctx->is_dev_init == true) {
IPAERR_RL("Invalid Parameters or device is already init\n"); IPAERR_RL("Invalid Parameters or device is already init\n");