msm: ADSPRPC: Buffer length to be copied is truncated
The buffer length that is being used to allocate gets truncated
due to it being assigned to wrong type causing a much smaller
buffer to be allocated than what is required for copying.
Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 783e35f..1795722 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -1023,6 +1023,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
/* calculate len requreed for copying */
for (oix = 0; oix < inbufs + outbufs; ++oix) {
int i = ctx->overps[oix]->raix;
+ uintptr_t mstart, mend;
ssize_t len = lpra[i].buf.len;
if (!len)
@@ -1031,7 +1032,15 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
continue;
if (ctx->overps[oix]->offset == 0)
copylen = ALIGN(copylen, BALIGN);
- copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
+ mstart = ctx->overps[oix]->mstart;
+ mend = ctx->overps[oix]->mend;
+ VERIFY(err, (mend - mstart) <= LONG_MAX);
+ if (err)
+ goto bail;
+ copylen += mend - mstart;
+ VERIFY(err, copylen >= 0);
+ if (err)
+ goto bail;
}
ctx->used = copylen;
@@ -1111,7 +1120,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
for (oix = 0; oix < inbufs + outbufs; ++oix) {
int i = ctx->overps[oix]->raix;
struct fastrpc_mmap *map = ctx->maps[i];
- int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
+ ssize_t mlen;
uint64_t buf;
ssize_t len = lpra[i].buf.len;
@@ -1123,6 +1132,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
rlen -= ALIGN(args, BALIGN) - args;
args = ALIGN(args, BALIGN);
}
+ mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
VERIFY(err, rlen >= mlen);
if (err)
goto bail;