From 6f6ce85df80c31048863cd31349e86277d89ff36 Mon Sep 17 00:00:00 2001 From: Biswajit Paul Date: Tue, 13 Dec 2016 15:27:30 -0800 Subject: [PATCH] msm: ADSPRPC: Buffer length to be copied is truncated The buffer length that is being used to allocate gets truncated due to it being assigned to wrong type causing a much smaller buffer to be allocated than what is required for copying. Bug: 31695439 CRs-Fixed: 1100695 Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7 Signed-off-by: Sathish Ambley Signed-off-by: Biswajit Paul --- drivers/char/adsprpc.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index a9c537b543122..f99855c0cacf5 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -833,9 +833,9 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx, void *args; remote_arg_t *pra = ctx->pra; remote_arg_t *rpra = ctx->rpra; - ssize_t rlen, used, size; + ssize_t rlen, used, size, copylen = 0; uint32_t sc = ctx->sc, start; - int i, inh, bufs = 0, err = 0, oix, copylen = 0; + int i, inh, bufs = 0, err = 0, oix; int inbufs = REMOTE_SCALARS_INBUFS(sc); int outbufs = REMOTE_SCALARS_OUTBUFS(sc); int cid = ctx->fdata->cid; @@ -884,13 +884,23 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx, /* calculate len requreed for copying */ for (oix = 0; oix < inbufs + outbufs; ++oix) { int i = ctx->overps[oix]->raix; + uintptr_t mstart, mend; + if (!pra[i].buf.len) continue; if (list[i].num) continue; if (ctx->overps[oix]->offset == 0) copylen = ALIGN(copylen, BALIGN); - copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart; + mstart = ctx->overps[oix]->mstart; + mend = ctx->overps[oix]->mend; + VERIFY(err, (mend - mstart) <= LONG_MAX); + if (err) + goto bail; + copylen += mend - mstart; + VERIFY(err, copylen >= 0); + if (err) + goto bail; } /* alocate new buffer */ @@ -916,7 +926,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx, /* copy non ion buffers */ for (oix = 0; oix < inbufs + outbufs; ++oix) { int i = ctx->overps[oix]->raix; - int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart; + ssize_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart; if (!pra[i].buf.len) continue; if (list[i].num)