evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

iommu: dma-mapping-fast: Add a check for count in fast_smmu_alloc

Browse source 
In fast_smmu_alloc size_t variable size is type casted to int
variable count, this variable count can get truncated and can
result in memory corruption during unmap, make count as size_t
and also add a check for count as sg_alloc_table_from_pages
accepts unsigned int value for count.

Change-Id: I4780a554c5c062fd9dd229e5cc0ac804b1ba31d8
Signed-off-by: Vijayanand Jitta <vjitta@codeaurora.org>
This commit is contained in:
Vijayanand Jitta 2019-01-27 22:36:16 +05:30 committed by Gerrit - the friendly Code Review server
parent afbf8abea5
commit 412b07f4da
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
drivers/iommu/dma-mapping-fast.c
View file

@ -1,4 +1,4 @@
/* Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
/* Copyright (c) 2016-2017,2019, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -513,12 +513,22 @@ static void *fast_smmu_alloc(struct device *dev, size_t size,
av8l_fast_iopte *ptep;
unsigned long flags;
struct sg_mapping_iter miter;
unsigned int count = ALIGN(size, SZ_4K) >> PAGE_SHIFT;
size_t count = ALIGN(size, SZ_4K) >> PAGE_SHIFT;
int prot = IOMMU_READ | IOMMU_WRITE; /* TODO: extract from attrs */
bool is_coherent = is_dma_coherent(dev, attrs);
pgprot_t remap_prot = __get_dma_pgprot(attrs, PAGE_KERNEL, is_coherent);
struct page **pages;
/*
* sg_alloc_table_from_pages accepts unsigned int value for count
* so check count doesn't exceed UINT_MAX.
*/
if (count > UINT_MAX) {
dev_err(dev, "count: %zx exceeds UNIT_MAX\n", count);
return NULL;
}
prot = __get_iommu_pgprot(attrs, prot, is_coherent);
*handle = DMA_ERROR_CODE;