69 lines
2.4 KiB
Diff
Raw Normal View History

From 6f6ce85df80c31048863cd31349e86277d89ff36 Mon Sep 17 00:00:00 2001
From: Biswajit Paul <biswajitpaul@codeaurora.org>
Date: Tue, 13 Dec 2016 15:27:30 -0800
Subject: [PATCH] msm: ADSPRPC: Buffer length to be copied is truncated
The buffer length that is being used to allocate gets truncated
due to it being assigned to wrong type causing a much smaller
buffer to be allocated than what is required for copying.
Bug: 31695439
CRs-Fixed: 1100695
Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
---
drivers/char/adsprpc.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index a9c537b543122..f99855c0cacf5 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -833,9 +833,9 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
void *args;
remote_arg_t *pra = ctx->pra;
remote_arg_t *rpra = ctx->rpra;
- ssize_t rlen, used, size;
+ ssize_t rlen, used, size, copylen = 0;
uint32_t sc = ctx->sc, start;
- int i, inh, bufs = 0, err = 0, oix, copylen = 0;
+ int i, inh, bufs = 0, err = 0, oix;
int inbufs = REMOTE_SCALARS_INBUFS(sc);
int outbufs = REMOTE_SCALARS_OUTBUFS(sc);
int cid = ctx->fdata->cid;
@@ -884,13 +884,23 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
/* calculate len requreed for copying */
for (oix = 0; oix < inbufs + outbufs; ++oix) {
int i = ctx->overps[oix]->raix;
+ uintptr_t mstart, mend;
+
if (!pra[i].buf.len)
continue;
if (list[i].num)
continue;
if (ctx->overps[oix]->offset == 0)
copylen = ALIGN(copylen, BALIGN);
- copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
+ mstart = ctx->overps[oix]->mstart;
+ mend = ctx->overps[oix]->mend;
+ VERIFY(err, (mend - mstart) <= LONG_MAX);
+ if (err)
+ goto bail;
+ copylen += mend - mstart;
+ VERIFY(err, copylen >= 0);
+ if (err)
+ goto bail;
}
/* alocate new buffer */
@@ -916,7 +926,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
/* copy non ion buffers */
for (oix = 0; oix < inbufs + outbufs; ++oix) {
int i = ctx->overps[oix]->raix;
- int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
+ ssize_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
if (!pra[i].buf.len)
continue;
if (list[i].num)