From fc205b4594de552331b0d6d8b257611bec6908e6 Mon Sep 17 00:00:00 2001
From: Aaron Tzeng <Aaron.Tzeng@quantatw.com>
Date: Wed, 25 Jan 2017 10:51:55 -0800
Subject: [PATCH] msm: ADSPRPC: Check for buffer overflow condition
The buffer length that is being passed could result in overflow
condition causing invalid memory to be accessed.
Change-Id: I3e23f31b8cb61f8e77d09a39fab4a2d4c222cf25
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
---
drivers/char/adsprpc.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 94f2546ea597..b0638f6ab68e 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -678,9 +678,9 @@ static int overlap_ptr_cmp(const void *a, const void *b)
return st == 0 ? ed : st;
}
-static void context_build_overlap(struct smq_invoke_ctx *ctx)
+static int context_build_overlap(struct smq_invoke_ctx *ctx)
{
- int i;
+ int i, err = 0;
remote_arg_t *lpra = ctx->lpra;
int inbufs = REMOTE_SCALARS_INBUFS(ctx->sc);
int outbufs = REMOTE_SCALARS_OUTBUFS(ctx->sc);
@@ -689,6 +689,11 @@ static void context_build_overlap(struct smq_invoke_ctx *ctx)
for (i = 0; i < nbufs; ++i) {
ctx->overs[i].start = (uintptr_t)lpra[i].buf.pv;
ctx->overs[i].end = ctx->overs[i].start + lpra[i].buf.len;
+ if (lpra[i].buf.len) {
+ VERIFY(err, ctx->overs[i].end > ctx->overs[i].start);
+ if (err)
+ goto bail;
+ }
ctx->overs[i].raix = i;
ctx->overps[i] = &ctx->overs[i];
}
@@ -714,6 +719,8 @@ static void context_build_overlap(struct smq_invoke_ctx *ctx)
max = *ctx->overps[i];
}
}
+bail:
+ return err;
}
#define K_COPY_FROM_USER(err, kernel, dst, src, size) \
@@ -777,8 +784,11 @@ static int context_alloc(struct fastrpc_file *fl, uint32_t kernel,
goto bail;
}
ctx->sc = invoke->sc;
- if (bufs)
- context_build_overlap(ctx);
+ if (bufs) {
+ VERIFY(err, 0 == context_build_overlap(ctx));
+ if (err)
+ goto bail;
+ }
ctx->retval = -1;
ctx->pid = current->pid;
ctx->tgid = current->tgid;
--
GitLab