mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-09 22:49:30 -05:00
58 lines
2.1 KiB
Diff
58 lines
2.1 KiB
Diff
|
From f6e21d2a3778bcbbef7320ffbf31631d76679175 Mon Sep 17 00:00:00 2001
|
||
|
From: Wei Wang <wvw@google.com>
|
||
|
Date: Fri, 13 Jan 2017 20:00:07 -0800
|
||
|
Subject: [PATCH] msm: ADSPRPC: Buffer length to be copied is truncated
|
||
|
|
||
|
The buffer length that is being used to allocate gets truncated
|
||
|
due to it being assigned to wrong type causing a much smaller
|
||
|
buffer to be allocated than what is required for copying.
|
||
|
|
||
|
Bug: 31695439
|
||
|
CRs-Fixed: 1100695
|
||
|
Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7
|
||
|
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
|
||
|
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
|
||
|
Signed-off-by: Wei Wang <wvw@google.com>
|
||
|
---
|
||
|
drivers/char/adsprpc.c | 13 +++++++++++--
|
||
|
1 file changed, 11 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
|
||
|
index 23e1e8b7d04a4..30a9bf32d0801 100644
|
||
|
--- a/drivers/char/adsprpc.c
|
||
|
+++ b/drivers/char/adsprpc.c
|
||
|
@@ -972,6 +972,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
|
||
|
/* calculate len requreed for copying */
|
||
|
for (oix = 0; oix < inbufs + outbufs; ++oix) {
|
||
|
int i = ctx->overps[oix]->raix;
|
||
|
+ uintptr_t mstart, mend;
|
||
|
ssize_t len = lpra[i].buf.len;
|
||
|
if (!len)
|
||
|
continue;
|
||
|
@@ -979,7 +980,15 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
|
||
|
continue;
|
||
|
if (ctx->overps[oix]->offset == 0)
|
||
|
copylen = ALIGN(copylen, BALIGN);
|
||
|
- copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
|
||
|
+ mstart = ctx->overps[oix]->mstart;
|
||
|
+ mend = ctx->overps[oix]->mend;
|
||
|
+ VERIFY(err, (mend - mstart) <= LONG_MAX);
|
||
|
+ if (err)
|
||
|
+ goto bail;
|
||
|
+ copylen += mend - mstart;
|
||
|
+ VERIFY(err, copylen >= 0);
|
||
|
+ if (err)
|
||
|
+ goto bail;
|
||
|
}
|
||
|
ctx->used = copylen;
|
||
|
|
||
|
@@ -1044,7 +1053,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
|
||
|
for (oix = 0; oix < inbufs + outbufs; ++oix) {
|
||
|
int i = ctx->overps[oix]->raix;
|
||
|
struct fastrpc_mmap *map = ctx->maps[i];
|
||
|
- int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
|
||
|
+ ssize_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
|
||
|
uint64_t buf;
|
||
|
ssize_t len = lpra[i].buf.len;
|
||
|
if (!len)
|