34 lines
1.1 KiB
Diff
Raw Normal View History

From c257f35acc3841f7b99730f01ba834c0575030de Mon Sep 17 00:00:00 2001
From: Biswajit Paul <biswajitpaul@codeaurora.org>
Date: Fri, 2 Dec 2016 12:54:53 -0800
Subject: [PATCH] msm: ADSPRPC: Buffer length truncated while validation
The buffer length that is being used to validate gets truncated
due to it being assigned to wrong type causing invalid memory
to be accessed when the actual buffer length is used to copy
user buffer contents.
Bug: 31695439
CRs-Fixed: 1086123
Change-Id: If04dee27b8bae04eef7455773d9f4327fd008a21
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
---
drivers/char/adsprpc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index f99855c0cacf5..53396b7839497 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -719,7 +719,8 @@ static int get_page_list(uint32_t kernel, struct smq_invoke_ctx *ctx)
pgstart->size = obuf->size;
for (i = 0; i < inbufs + outbufs; ++i) {
void *buf;
- int len, num;
+ int num;
+ ssize_t len;
list[i].num = 0;
list[i].pgidx = 0;