evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm:ipa: Fix to slab out of bounds access

Browse source 
Accessing of incorrect structure pointer is causing
slab-out-of-bounds access, fixed issue by accessing
the correct structure pointer.

Change-Id: I23d3c9afbbabba88be92ef5cae83c4708a211e88
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
This commit is contained in:
Mohammed Javid 2017-09-07 11:05:56 +05:30 committed by Gerrit - the friendly Code Review server
parent b56464c7cb
commit 43a3a58e49
4 changed files with 26 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
drivers/platform/msm/ipa/ipa_v2/ipa_debugfs.c
View file

@ -812,10 +812,11 @@ static ssize_t ipa_read_flt(struct file *file, char __user *ubuf, size_t count,
eq = true;
} else {
rt_tbl = ipa_id_find(entry->rule.rt_tbl_hdl);
if (rt_tbl)
rt_tbl_idx = rt_tbl->idx;
if (rt_tbl == NULL ||
rt_tbl->cookie != IPA_RT_TBL_COOKIE)
rt_tbl_idx = ~0;
else
rt_tbl_idx = ~0;
rt_tbl_idx = rt_tbl->idx;
bitmap = entry->rule.attrib.attrib_mask;
eq = false;
}
@ -842,10 +843,11 @@ static ssize_t ipa_read_flt(struct file *file, char __user *ubuf, size_t count,
eq = true;
} else {
rt_tbl = ipa_id_find(entry->rule.rt_tbl_hdl);
if (rt_tbl)
rt_tbl_idx = rt_tbl->idx;
else
if (rt_tbl == NULL ||
rt_tbl->cookie != IPA_RT_TBL_COOKIE)
rt_tbl_idx = ~0;
else
rt_tbl_idx = rt_tbl->idx;
bitmap = entry->rule.attrib.attrib_mask;
eq = false;
}

7
drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c
View file

@ -867,10 +867,11 @@ static ssize_t ipa3_read_flt(struct file *file, char __user *ubuf, size_t count,
eq = true;
} else {
rt_tbl = ipa3_id_find(entry->rule.rt_tbl_hdl);
if (rt_tbl)
rt_tbl_idx = rt_tbl->idx;
if (rt_tbl == NULL ||
rt_tbl->cookie != IPA_RT_TBL_COOKIE)
rt_tbl_idx = ~0;
else
rt_tbl_idx = ~0;
rt_tbl_idx = rt_tbl->idx;
bitmap = entry->rule.attrib.attrib_mask;
eq = false;
}

7
drivers/platform/msm/ipa/ipa_v3/ipa_flt.c
View file

@ -1157,6 +1157,13 @@ int ipa3_add_flt_rule_after(struct ipa_ioc_add_flt_rule_after *rules)
goto bail;
}
if (entry->cookie != IPA_FLT_COOKIE) {
IPAERR_RL("Invalid cookie value = %u flt hdl id = %d\n",
entry->cookie, rules->add_after_hdl);
result = -EINVAL;
goto bail;
}
if (entry->tbl != tbl) {
IPAERR_RL("given entry does not match the table\n");
result = -EINVAL;

7
drivers/platform/msm/ipa/ipa_v3/ipa_rt.c
View file

@ -1152,6 +1152,13 @@ int ipa3_add_rt_rule_after(struct ipa_ioc_add_rt_rule_after *rules)
goto bail;
}
if (entry->cookie != IPA_RT_RULE_COOKIE) {
IPAERR_RL("Invalid cookie value = %u rule %d in rt tbls\n",
entry->cookie, rules->add_after_hdl);
ret = -EINVAL;
goto bail;
}
if (entry->tbl != tbl) {
IPAERR_RL("given rt rule does not match the table\n");
ret = -EINVAL;