From 0b5f49b360afdebf8ef55df1e48ec141b3629621 Mon Sep 17 00:00:00 2001
From: Fred Oh <fred@codeaurora.org>
Date: Fri, 11 Oct 2013 15:07:45 -0700
Subject: ASoc: msm: qdsp6v2: add vm page offset validation

Lack of range validation can lead wrong mapping or expose arbitrary
memory page to userspace

Change-Id: I8c6eb1b7255d444bffd9d3748ca4815b11bdf16a
Signed-off-by: Fred Oh <fred@codeaurora.org>
---
 arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c')

diff --git a/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c b/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
index 0a50bcc..2d375ac 100644
--- a/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
+++ b/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
@@ -269,6 +269,7 @@ int msm_audio_ion_mmap(struct audio_buffer *ab,
 	} else {
 		ion_phys_addr_t phys_addr;
 		size_t phys_len;
+		size_t va_len = 0;
 		pr_debug("%s: page is NULL\n", __func__);
 
 		ret = ion_phys(ab->client, ab->handle, &phys_addr, &phys_len);
@@ -282,6 +283,12 @@ int msm_audio_ion_mmap(struct audio_buffer *ab,
 			vma, (unsigned int)vma->vm_start,
 			(unsigned int)vma->vm_end, vma->vm_pgoff,
 			(unsigned long int)vma->vm_page_prot);
+		va_len = vma->vm_end - vma->vm_start;
+		if ((offset > phys_len) || (va_len > phys_len-offset)) {
+			pr_err("wrong offset size %ld, lens= %d, va_len=%d\n",
+				offset, phys_len, va_len);
+			return -EINVAL;
+		}
 		ret =  remap_pfn_range(vma, vma->vm_start,
 				__phys_to_pfn(phys_addr) + vma->vm_pgoff,
 				vma->vm_end - vma->vm_start,
-- 
cgit v1.1