msm: adsprpc: Fix array index underflow problem
Add check to restrict index underflow.This is to avoid
that it does not access invalid index.
Bug: 160605900
Change-Id: Ib971033c5820ca4dab38ace3b106c7b1b42529e4
Acked-by: Gururaj Chalger <gchalger@qti.qualcomm.com>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
(cherry picked from commit 6108689d648c1130eed223d1059312a8e0602741)
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 9d601bf..7bdd269 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -717,12 +717,23 @@
{
struct fastrpc_apps *me = &gfa;
struct fastrpc_file *fl;
- int vmid;
+ int vmid, cid = -1, err = 0;
struct fastrpc_session_ctx *sess;
if (!map)
return;
fl = map->fl;
+ if (fl && !(map->flags == ADSP_MMAP_HEAP_ADDR ||
+ map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR)) {
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
+ pr_err("adsprpc: ERROR:%s, Invalid channel id: %d, err:%d",
+ __func__, cid, err);
+ return;
+ }
+ }
if (map->flags == ADSP_MMAP_HEAP_ADDR ||
map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
spin_lock(&me->hlock);
@@ -803,20 +814,21 @@
struct fastrpc_apps *me = &gfa;
struct fastrpc_session_ctx *sess;
struct fastrpc_apps *apps = fl->apps;
- int cid = fl->cid;
- struct fastrpc_channel_ctx *chan = NULL;
struct fastrpc_mmap *map = NULL;
+ struct fastrpc_channel_ctx *chan = NULL;
unsigned long attrs;
dma_addr_t region_phys = 0;
void *region_vaddr = NULL;
unsigned long flags;
- int err = 0, vmid;
+ int err = 0, vmid, cid = -1;
- VERIFY(err, cid >= 0 && cid < NUM_CHANNELS);
- if (err)
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
goto bail;
+ }
chan = &apps->channel[cid];
-
if (!fastrpc_mmap_find(fl, fd, va, len, mflags, 1, ppmap))
return 0;
map = kzalloc(sizeof(*map), GFP_KERNEL);
@@ -1855,12 +1867,22 @@
{
struct smq_msg *msg = &ctx->msg;
struct fastrpc_file *fl = ctx->fl;
- struct fastrpc_channel_ctx *channel_ctx = &fl->apps->channel[fl->cid];
- int err = 0, len;
+ int err = 0, len, cid = -1;
+ struct fastrpc_channel_ctx *channel_ctx = NULL;
+
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
+ goto bail;
+ }
+ channel_ctx = &fl->apps->channel[fl->cid];
VERIFY(err, NULL != channel_ctx->chan);
- if (err)
+ if (err) {
+ err = -ECHRNG;
goto bail;
+ }
msg->pid = fl->tgid;
msg->tid = current->pid;
if (fl->sessionid)
@@ -1979,11 +2001,22 @@
{
struct smq_invoke_ctx *ctx = NULL;
struct fastrpc_ioctl_invoke *invoke = &inv->inv;
- int cid = fl->cid;
- int interrupted = 0;
- int err = 0;
+ int err = 0, cid = -1, interrupted = 0;
struct timespec invoket = {0};
- int64_t *perf_counter = getperfcounter(fl, PERF_COUNT);
+ int64_t *perf_counter = NULL;
+
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
+ goto bail;
+ }
+ VERIFY(err, fl->sctx != NULL);
+ if (err) {
+ err = -EBADR;
+ goto bail;
+ }
+ perf_counter = getperfcounter(fl, PERF_COUNT);
if (fl->profile)
getnstimeofday(&invoket);
@@ -1997,13 +2030,6 @@
}
}
- VERIFY(err, fl->sctx != NULL);
- if (err)
- goto bail;
- VERIFY(err, fl->cid >= 0 && fl->cid < NUM_CHANNELS);
- if (err)
- goto bail;
-
if (!kernel) {
VERIFY(err, 0 == context_restore_interrupted(fl, inv,
&ctx));
@@ -3351,7 +3377,7 @@
static int fastrpc_channel_open(struct fastrpc_file *fl)
{
struct fastrpc_apps *me = &gfa;
- int cid, ii, err = 0;
+ int cid = -1, ii, err = 0;
mutex_lock(&me->smd_mutex);
@@ -3359,9 +3385,11 @@
if (err)
goto bail;
cid = fl->cid;
- VERIFY(err, cid >= 0 && cid < NUM_CHANNELS);
- if (err)
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
goto bail;
+ }
if (me->channel[cid].ssrcount !=
me->channel[cid].prevssrcount) {
if (!me->channel[cid].issubsystemup) {
