msm: eva: OOB write fix due to integer underflow

If FW send a pkt->size which is less than the sizeof packet structure then pkt->size - sizeof() would result into an integer underflow. Due to this the subsequent check would be by passed and we will start write to an OOB memory. Change-Id: I8d33602a707a4bab07c5db53abe252bd480bfb84 Signed-off-by: Gopireddy Arunteja Reddy <quic_garuntej@quicinc.com>
2024-05-26 23:13:07 +05:30
parent eafe8352c3
commit 12119c6299
1 changed files with 2 additions and 2 deletions
--- a/msm/eva/hfi_response_handler.c
+++ b/msm/eva/hfi_response_handler.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */

 #include <linux/bitops.h>
@@ -624,7 +624,7 @@ static void hfi_process_sys_get_prop_image_version(
 	int req_bytes;

 	req_bytes = pkt->size - sizeof(*pkt);
-	if (req_bytes < version_string_size ||
+	if (req_bytes < (signed int)version_string_size ||
 			!pkt->rg_property_data[1] ||
 			pkt->num_properties > 1) {
 		dprintk(CVP_ERR, "%s: bad_pkt: %d\n", __func__, req_bytes);