From f6e21d2a3778bcbbef7320ffbf31631d76679175 Mon Sep 17 00:00:00 2001 From: Wei Wang Date: Fri, 13 Jan 2017 20:00:07 -0800 Subject: [PATCH] msm: ADSPRPC: Buffer length to be copied is truncated The buffer length that is being used to allocate gets truncated due to it being assigned to wrong type causing a much smaller buffer to be allocated than what is required for copying. Bug: 31695439 CRs-Fixed: 1100695 Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7 Signed-off-by: Sathish Ambley Signed-off-by: Biswajit Paul Signed-off-by: Wei Wang --- drivers/char/adsprpc.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index 23e1e8b7d04a4..30a9bf32d0801 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -972,6 +972,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) /* calculate len requreed for copying */ for (oix = 0; oix < inbufs + outbufs; ++oix) { int i = ctx->overps[oix]->raix; + uintptr_t mstart, mend; ssize_t len = lpra[i].buf.len; if (!len) continue; @@ -979,7 +980,15 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) continue; if (ctx->overps[oix]->offset == 0) copylen = ALIGN(copylen, BALIGN); - copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart; + mstart = ctx->overps[oix]->mstart; + mend = ctx->overps[oix]->mend; + VERIFY(err, (mend - mstart) <= LONG_MAX); + if (err) + goto bail; + copylen += mend - mstart; + VERIFY(err, copylen >= 0); + if (err) + goto bail; } ctx->used = copylen; @@ -1044,7 +1053,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) for (oix = 0; oix < inbufs + outbufs; ++oix) { int i = ctx->overps[oix]->raix; struct fastrpc_mmap *map = ctx->maps[i]; - int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart; + ssize_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart; uint64_t buf; ssize_t len = lpra[i].buf.len; if (!len)