Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

rpmsg : glink: validate head and tail index before fifo read write

Browse source 
We are not validating head and tail index of tx and rx fifo
before using to read or write fifo. This can result in out of
bound memory access if head and tail have incorrect values.

This patch adds check for validation of head and tail index.

CRs-Fixed: 2398099
Change-Id: Ia8725a731cc7a45f7e13b09e1e62842ff44d53f3
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
This commit is contained in:
Deepak Kumar Singh 2019-03-01 19:42:22 +05:30 committed by Arun Kumar Neelakantam
parent 71ba584cac
commit e80a8aa9b8
1 changed files with 19 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
drivers/rpmsg/qcom_glink_smem.c
View file

@ -1,7 +1,7 @@
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (c) 2016, Linaro Ltd
* Copyright (c) 2018, The Linux Foundation, All rights reserved.
* Copyright (c) 2018-2019, The Linux Foundation, All rights reserved.
*/
#include <linux/io.h>
@ -72,9 +72,14 @@ static size_t glink_smem_rx_avail(struct qcom_glink_pipe *np)
tail = le32_to_cpu(*pipe->tail);
if (head < tail)
return pipe->native.length - tail + head;
len = pipe->native.length - tail + head;
else
return head - tail;
len = head - tail;
if (WARN_ON_ONCE(len > pipe->native.length))
len = 0;
return len;
}
static void glink_smem_rx_peak(struct qcom_glink_pipe *np,
@ -85,6 +90,10 @@ static void glink_smem_rx_peak(struct qcom_glink_pipe *np,
u32 tail;
tail = le32_to_cpu(*pipe->tail);
if (WARN_ON_ONCE(tail > pipe->native.length))
return;
tail += offset;
if (tail >= pipe->native.length)
tail -= pipe->native.length;
@ -109,7 +118,7 @@ static void glink_smem_rx_advance(struct qcom_glink_pipe *np,
tail += count;
if (tail >= pipe->native.length)
tail -= pipe->native.length;
tail %= pipe->native.length;
*pipe->tail = cpu_to_le32(tail);
}
@ -134,6 +143,9 @@ static size_t glink_smem_tx_avail(struct qcom_glink_pipe *np)
else
avail -= FIFO_FULL_RESERVE + TX_BLOCKED_CMD_RESERVE;
if (WARN_ON_ONCE(avail > pipe->native.length))
avail = 0;
return avail;
}
@ -143,6 +155,9 @@ static unsigned int glink_smem_tx_write_one(struct glink_smem_pipe *pipe,
{
size_t len;
if (WARN_ON_ONCE(head > pipe->native.length))
return head;
len = min_t(size_t, count, pipe->native.length - head);
if (len)
memcpy(pipe->fifo + head, data, len);