samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dsp-kernel: Check for user input buffer

Browse Source 
Add check for user input buffer to fix improper access.

Signed-off-by: quic_anane <quic_anane@quicinc.com>
This commit is contained in:
quic_anane
2024-01-25 16:43:12 +05:30
parent 698dfba608
commit 23611a1626
1 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
dsp/adsprpc.c
View File

@@ -2612,6 +2612,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
struct fastrpc_mmap *map = ctx->maps[i];
uint64_t buf = ptr_to_uint64(lpra[i].buf.pv);
size_t len = lpra[i].buf.len;
uint64_t buf_start = 0;
rpra[i].buf.pv = 0;
rpra[i].buf.len = len;
@@ -2633,7 +2634,17 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
up_read(&current->mm->mmap_lock);
goto bail;
}
offset = buf_page_start(buf) - vma->vm_start;
buf_start = buf_page_start(buf);
VERIFY(err, vma->vm_start <= buf_start);
if (err) {
up_read(&current->mm->mmap_lock);
ADSPRPC_ERR(
"buffer VA invalid for fd %d, IPA 0x%llx, VA 0x%llx, vma start 0x%llx\n",
map->fd, map->phys, map->va, vma->vm_start);
err = -EFAULT;
goto bail;
}
offset = buf_start - vma->vm_start;
up_read(&current->mm->mmap_lock);
VERIFY(err, offset + len <= (uintptr_t)map->size);
if (err) {