evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: ADSPRPC: Check for buffer overflow condition

Browse source 
The buffer length that is being passed could result in overflow
condition causing invalid memory to be accessed.

Change-Id: I3e23f31b8cb61f8e77d09a39fab4a2d4c222cf25
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
This commit is contained in:
Sathish Ambley 2017-01-25 10:51:55 -08:00 committed by Gerrit - the friendly Code Review server
parent 314869eb56
commit 3823f0f8d0
1 changed files with 14 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
drivers/char/adsprpc.c
View file

@ -805,9 +805,9 @@ static int overlap_ptr_cmp(const void *a, const void *b)
return st == 0 ? ed : st;
}
static void context_build_overlap(struct smq_invoke_ctx *ctx)
static int context_build_overlap(struct smq_invoke_ctx *ctx)
{
int i;
int i, err = 0;
remote_arg_t *lpra = ctx->lpra;
int inbufs = REMOTE_SCALARS_INBUFS(ctx->sc);
int outbufs = REMOTE_SCALARS_OUTBUFS(ctx->sc);
@ -816,6 +816,11 @@ static void context_build_overlap(struct smq_invoke_ctx *ctx)
for (i = 0; i < nbufs; ++i) {
ctx->overs[i].start = (uintptr_t)lpra[i].buf.pv;
ctx->overs[i].end = ctx->overs[i].start + lpra[i].buf.len;
if (lpra[i].buf.len) {
VERIFY(err, ctx->overs[i].end > ctx->overs[i].start);
if (err)
goto bail;
}
ctx->overs[i].raix = i;
ctx->overps[i] = &ctx->overs[i];
}
@ -841,6 +846,8 @@ static void context_build_overlap(struct smq_invoke_ctx *ctx)
max = *ctx->overps[i];
}
}
bail:
return err;
}
#define K_COPY_FROM_USER(err, kernel, dst, src, size) \
@ -913,8 +920,11 @@ static int context_alloc(struct fastrpc_file *fl, uint32_t kernel,
}
ctx->sc = invoke->sc;
if (bufs)
context_build_overlap(ctx);
if (bufs) {
VERIFY(err, 0 == context_build_overlap(ctx));
if (err)
goto bail;
}
ctx->retval = -1;
ctx->pid = current->pid;
ctx->tgid = current->tgid;