msm: ADSPRPC: Check for buffer overflow condition
The buffer length that is being passed could result in overflow
condition causing invalid memory to be accessed.
Change-Id: I3e23f31b8cb61f8e77d09a39fab4a2d4c222cf25
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index a835344..efaa9d1 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -672,9 +672,9 @@
return st == 0 ? ed : st;
}
-static void context_build_overlap(struct smq_invoke_ctx *ctx)
+static int context_build_overlap(struct smq_invoke_ctx *ctx)
{
- int i;
+ int i, err = 0;
remote_arg_t *lpra = ctx->lpra;
int inbufs = REMOTE_SCALARS_INBUFS(ctx->sc);
int outbufs = REMOTE_SCALARS_OUTBUFS(ctx->sc);
@@ -684,6 +684,11 @@
for (i = 0; i < nbufs; ++i) {
ctx->overs[i].start = (uintptr_t)lpra[i].buf.pv;
ctx->overs[i].end = ctx->overs[i].start + lpra[i].buf.len;
+ if (lpra[i].buf.len) {
+ VERIFY(err, ctx->overs[i].end > ctx->overs[i].start);
+ if (err)
+ goto bail;
+ }
ctx->overs[i].raix = i;
ctx->overps[i] = &ctx->overs[i];
}
@@ -709,6 +714,8 @@
max = *ctx->overps[i];
}
}
+bail:
+ return err;
}
#define K_COPY_FROM_USER(err, kernel, dst, src, size) \
@@ -781,8 +788,11 @@
}
ctx->sc = invoke->sc;
- if (bufs)
- context_build_overlap(ctx);
+ if (bufs) {
+ VERIFY(err, 0 == context_build_overlap(ctx));
+ if (err)
+ goto bail;
+ }
ctx->retval = -1;
ctx->pid = current->pid;
ctx->tgid = current->tgid;