From 12119c6299de371dd71afce0aa4860fe52d80281 Mon Sep 17 00:00:00 2001
From: Gopireddy Arunteja Reddy <quic_garuntej@quicinc.com>
Date: Sun, 26 May 2024 23:13:07 +0530
Subject: [PATCH] msm: eva: OOB write fix due to integer underflow

If FW send a pkt->size which is less than the sizeof packet structure
then pkt->size - sizeof() would result into an integer underflow.
Due to this the subsequent check would be by passed and we will
start write to an OOB memory.

Change-Id: I8d33602a707a4bab07c5db53abe252bd480bfb84
Signed-off-by: Gopireddy Arunteja Reddy <quic_garuntej@quicinc.com>
---
 msm/eva/hfi_response_handler.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/msm/eva/hfi_response_handler.c b/msm/eva/hfi_response_handler.c
index 0cb9559f63..89f7b2b68d 100644
--- a/msm/eva/hfi_response_handler.c
+++ b/msm/eva/hfi_response_handler.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/bitops.h>
@@ -624,7 +624,7 @@ static void hfi_process_sys_get_prop_image_version(
 	int req_bytes;
 
 	req_bytes = pkt->size - sizeof(*pkt);
-	if (req_bytes < version_string_size ||
+	if (req_bytes < (signed int)version_string_size ||
 			!pkt->rg_property_data[1] ||
 			pkt->num_properties > 1) {
 		dprintk(CVP_ERR, "%s: bad_pkt: %d\n", __func__, req_bytes);