evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

qcom: smcinvoke: Fix stack overflow for arr_filp

Browse source 
arr_filp is an alias to filp_to_release. It is exposed
to access indices greater than allotted space of 15 bytes,
equal to size of OBJECT_COUNTS_MAX_OO. This change fixes
the stack overflow by taking an independent variable to track
the number of output objects.

Change-Id: Idca9cef3c69693d27d4ca3d0e0b4845fc27c998a
Signed-off-by: Anmolpreet Kaur <anmolpre@codeaurora.org>
This commit is contained in:
Anmolpreet Kaur 2019-05-02 17:32:08 +05:30 committed by Gerrit - the friendly Code Review server
parent 96eca37071
commit 6dc4873f91
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
drivers/soc/qcom/smcinvoke.c
View file

@ -1,4 +1,4 @@
/* Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
/* Copyright (c) 2016-2017,2019 The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -302,7 +302,7 @@ static int marshal_in(const struct smcinvoke_cmd_req *req,
const union smcinvoke_arg *args_buf, uint32_t tzhandle,
uint8_t *buf, size_t buf_size, struct file **arr_filp)
{
int ret = -EINVAL, i = 0;
int ret = -EINVAL, i = 0, j = 0;
union smcinvoke_tz_args *tz_args = NULL;
struct smcinvoke_msg_hdr msg_hdr = {tzhandle, req->op, req->counts};
uint32_t offset = sizeof(struct smcinvoke_msg_hdr) +
@ -347,7 +347,7 @@ static int marshal_in(const struct smcinvoke_cmd_req *req,
}
FOR_ARGS(i, req->counts, OI) {
if (get_tzhandle_from_fd(args_buf[i].o.fd,
&arr_filp[i], &(tz_args->tzhandle)))
&arr_filp[j++], &(tz_args->tzhandle)))
goto out;
tz_args++;
}