mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-20 21:34:24 -05:00
61 lines
1.9 KiB
Diff
61 lines
1.9 KiB
Diff
|
From 01b2c9a5d728ff6f2f1f28a5d4e927aaeabf56ed Mon Sep 17 00:00:00 2001
|
||
|
From: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
|
||
|
Date: Tue, 25 Oct 2016 16:35:23 -0700
|
||
|
Subject: soc: qcom: scm: add check to avoid buffer overflow
|
||
|
|
||
|
There is a posibility of a buffer overflow in scm_call,
|
||
|
add check to avoid the same.
|
||
|
|
||
|
Change-Id: Iee908c56ec530569b35dafa060139e0428efc781
|
||
|
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
|
||
|
---
|
||
|
drivers/soc/qcom/scm.c | 18 ++++++++++++------
|
||
|
1 file changed, 12 insertions(+), 6 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/soc/qcom/scm.c b/drivers/soc/qcom/scm.c
|
||
|
index 714c848..b4713ac 100644
|
||
|
--- a/drivers/soc/qcom/scm.c
|
||
|
+++ b/drivers/soc/qcom/scm.c
|
||
|
@@ -56,9 +56,16 @@ DEFINE_MUTEX(scm_lmh_lock);
|
||
|
#define SMC_ATOMIC_MASK 0x80000000
|
||
|
#define IS_CALL_AVAIL_CMD 1
|
||
|
|
||
|
-#define SCM_BUF_LEN(__cmd_size, __resp_size) \
|
||
|
- (sizeof(struct scm_command) + sizeof(struct scm_response) + \
|
||
|
- __cmd_size + __resp_size)
|
||
|
+#define SCM_BUF_LEN(__cmd_size, __resp_size) ({ \
|
||
|
+ size_t x = __cmd_size + __resp_size; \
|
||
|
+ size_t y = sizeof(struct scm_command) + sizeof(struct scm_response); \
|
||
|
+ size_t result; \
|
||
|
+ if (x < __cmd_size || (x + y) < x) \
|
||
|
+ result = 0; \
|
||
|
+ else \
|
||
|
+ result = x + y; \
|
||
|
+ result; \
|
||
|
+ })
|
||
|
/**
|
||
|
* struct scm_command - one SCM command buffer
|
||
|
* @len: total available memory for command and response
|
||
|
@@ -356,8 +363,7 @@ int scm_call_noalloc(u32 svc_id, u32 cmd_id, const void *cmd_buf,
|
||
|
int ret;
|
||
|
size_t len = SCM_BUF_LEN(cmd_len, resp_len);
|
||
|
|
||
|
- if (cmd_len > scm_buf_len || resp_len > scm_buf_len ||
|
||
|
- len > scm_buf_len)
|
||
|
+ if (len == 0)
|
||
|
return -EINVAL;
|
||
|
|
||
|
if (!IS_ALIGNED((unsigned long)scm_buf, PAGE_SIZE))
|
||
|
@@ -780,7 +786,7 @@ int scm_call(u32 svc_id, u32 cmd_id, const void *cmd_buf, size_t cmd_len,
|
||
|
int ret;
|
||
|
size_t len = SCM_BUF_LEN(cmd_len, resp_len);
|
||
|
|
||
|
- if (cmd_len > len || resp_len > len)
|
||
|
+ if (len == 0 || PAGE_ALIGN(len) < len)
|
||
|
return -EINVAL;
|
||
|
|
||
|
cmd = kzalloc(PAGE_ALIGN(len), GFP_KERNEL);
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|