Skip to content

Commit

Permalink
soc: qcom: scm: check for size_t overflow.
Browse files Browse the repository at this point in the history 
Check for size_t overflow when calculating scm buffer size,
returning an error if the required buffer is too large.

Bug: 35401052
Change-Id: Ie630077adbdb6b2b6f0fa0df7be031064034a968
Signed-off-by: Andrew Chant <achant@google.com>
  • Loading branch information
@pattjin
Andrew Chant authored and pattjin committed Mar 15, 2017
1 parent 7412756 commit 21821a0
Showing 1 changed file with 19 additions and 8 deletions.
27 changes: 19 additions & 8 deletions drivers/soc/qcom/scm.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,6 @@ static DEFINE_MUTEX(scm_lock);
#define SCM_EBUSY_WAIT_MS 30
#define SCM_EBUSY_MAX_RETRY 20

#define SCM_BUF_LEN(__cmd_size, __resp_size) \
(sizeof(struct scm_command) + sizeof(struct scm_response) + \
__cmd_size + __resp_size)
/**
* struct scm_command - one SCM command buffer
* @len: total available memory for command and response
Expand Down Expand Up @@ -108,6 +105,21 @@ struct scm_response {

#endif

/* Calculate size for buffer given cmd_size and resp_size.
* Returns 0 in case the result would overflow size_t.
*/
static size_t scm_get_buf_len(size_t cmd_size, size_t resp_size)
{
size_t contents = cmd_size + resp_size;
size_t structs = sizeof(struct scm_command) +
sizeof(struct scm_response);
size_t buf_len = contents + structs;

if (contents < cmd_size || buf_len < contents)
buf_len = 0;
return buf_len;
}

/**
* scm_command_to_response() - Get a pointer to a scm_response
* @cmd: command
Expand Down Expand Up @@ -329,10 +341,9 @@ int scm_call_noalloc(u32 svc_id, u32 cmd_id, const void *cmd_buf,
void *scm_buf, size_t scm_buf_len)
{
int ret;
size_t len = SCM_BUF_LEN(cmd_len, resp_len);
size_t len = scm_get_buf_len(cmd_len, resp_len);

if (cmd_len > scm_buf_len || resp_len > scm_buf_len ||
len > scm_buf_len)
if (len == 0 || len > scm_buf_len)
return -EINVAL;

if (!IS_ALIGNED((unsigned long)scm_buf, PAGE_SIZE))
Expand Down Expand Up @@ -369,9 +380,9 @@ int scm_call(u32 svc_id, u32 cmd_id, const void *cmd_buf, size_t cmd_len,
{
struct scm_command *cmd;
int ret;
size_t len = SCM_BUF_LEN(cmd_len, resp_len);
size_t len = scm_get_buf_len(cmd_len, resp_len);

if (cmd_len > len || resp_len > len)
if (len == 0 || PAGE_ALIGN(len) < len)
return -EINVAL;

cmd = kzalloc(PAGE_ALIGN(len), GFP_KERNEL);
Expand Down

0 comments on commit 21821a0

Please sign in to comment.