diff options
author | Mohammed Nayeem Ur Rahman <mohara@codeaurora.org> | 2020-06-10 12:54:21 +0530 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2020-06-30 20:44:51 -0700 |
commit | 814a5d4bec88b82727b3a302733ecd0453589dd3 (patch) | |
tree | d24529fcc8b2bacab47928a13b331d9a1e022799 | |
parent | 99368f4304a7ce1f2d9ec6064ba5e965c8e671a8 (diff) |
msm: adsprpc: Fix array index underflow problemLA.UM.8.12.r1-12700-sm8250.0
Add check to restrict index underflow.This is to avoid
that it does not access invalid index.
Change-Id: Ib971033c5820ca4dab38ace3b106c7b1b42529e4
Acked-by: Gururaj Chalger <gchalger@qti.qualcomm.com>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
-rw-r--r-- | drivers/char/adsprpc.c | 51 |
1 files changed, 37 insertions, 14 deletions
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index cbf70a308225..2c3ddaa0015f 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -843,12 +843,23 @@ static void fastrpc_mmap_free(struct fastrpc_mmap *map, uint32_t flags) { struct fastrpc_apps *me = &gfa; struct fastrpc_file *fl; - int vmid; + int vmid, cid = -1, err = 0; struct fastrpc_session_ctx *sess; if (!map) return; fl = map->fl; + if (fl && !(map->flags == ADSP_MMAP_HEAP_ADDR || + map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR)) { + cid = fl->cid; + VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS); + if (err) { + err = -ECHRNG; + pr_err("adsprpc: ERROR:%s, Invalid channel id: %d, err:%d\n", + __func__, cid, err); + return; + } + } if (map->flags == ADSP_MMAP_HEAP_ADDR || map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) { map->refs--; @@ -2056,9 +2067,17 @@ static int fastrpc_invoke_send(struct smq_invoke_ctx *ctx, { struct smq_msg *msg = &ctx->msg; struct fastrpc_file *fl = ctx->fl; - struct fastrpc_channel_ctx *channel_ctx = &fl->apps->channel[fl->cid]; - int err = 0; + struct fastrpc_channel_ctx *channel_ctx = NULL; + int err = 0, cid = -1; + cid = fl->cid; + VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS); + if (err) { + err = -ECHRNG; + goto bail; + } + + channel_ctx = &fl->apps->channel[fl->cid]; mutex_lock(&channel_ctx->smd_mutex); msg->pid = fl->tgid; msg->tid = current->pid; @@ -2247,10 +2266,23 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode, { struct smq_invoke_ctx *ctx = NULL; struct fastrpc_ioctl_invoke *invoke = &inv->inv; - int err = 0, interrupted = 0, cid = fl->cid; + int err = 0, interrupted = 0, cid = -1; struct timespec invoket = {0}; int64_t *perf_counter = NULL; + cid = fl->cid; + VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS); + if (err) { + err = -ECHRNG; + goto bail; + } + VERIFY(err, fl->sctx != NULL); + if (err) { + pr_err("adsprpc: ERROR: %s: user application %s domain is not set\n", + __func__, current->comm); + err = -EBADR; + goto bail; + } if (fl->profile) { perf_counter = getperfcounter(fl, PERF_COUNT); getnstimeofday(&invoket); @@ -2268,15 +2300,6 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode, } } - VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS && - fl->sctx != NULL); - if (err) { - pr_err("adsprpc: ERROR: %s: kernel session not initialized yet for %s\n", - __func__, current->comm); - err = EBADR; - goto bail; - } - if (!kernel) { err = context_restore_interrupted(fl, inv, &ctx); if (err) @@ -3864,7 +3887,7 @@ static const struct file_operations debugfs_fops = { static int fastrpc_channel_open(struct fastrpc_file *fl) { struct fastrpc_apps *me = &gfa; - int cid, err = 0; + int cid = -1, err = 0; VERIFY(err, fl && fl->sctx && fl->cid >= 0 && fl->cid < NUM_CHANNELS); if (err) { |