Commit 7a671fab authored by Prakruthi Deepak Heragu's avatar Prakruthi Deepak Heragu
Browse files

gunyah: gh_rm_drv: Avoid integer overflow for req_payload_size calculation



There could be a potential integer overflow while calculating the
response payload size. Because of this, incorrect memory size could be
copied or allocated. Add a check so that there is no overflow.

Change-Id: I876fbaa704ba51dc4a9e4eb4d3f7f0eaa749e06d
Signed-off-by: default avatarPrakruthi Deepak Heragu <pheragu@codeaurora.org>
parent fc463f94
......@@ -201,6 +201,8 @@ gh_rm_vm_get_id(gh_vmid_t vmid, u32 *n_entries)
/* The response payload should contain all the resource entries */
if (resp_payload_size < sizeof(*n_entries) ||
(sizeof(*n_entries) > (U32_MAX -
(resp_payload->n_id_entries * sizeof(*resp_entries)))) ||
resp_payload_size != sizeof(*n_entries) +
(resp_payload->n_id_entries * sizeof(*resp_entries))) {
pr_err("%s: Invalid size received for GET_ID: %u\n",
......@@ -437,6 +439,8 @@ gh_rm_vm_get_hyp_res(gh_vmid_t vmid, u32 *n_entries)
/* The response payload should contain all the resource entries */
if (resp_payload_size < sizeof(*n_entries) ||
(sizeof(*n_entries) > (U32_MAX -
(resp_payload->n_resource_entries * sizeof(*resp_entries)))) ||
resp_payload_size != sizeof(*n_entries) +
(resp_payload->n_resource_entries * sizeof(*resp_entries))) {
pr_err("%s: Invalid size received for GET_HYP_RESOURCES: %u\n",
......@@ -1059,7 +1063,7 @@ int gh_rm_console_write(gh_vmid_t vmid, const char *buf, size_t size)
int reply_err_code = 0;
size_t req_payload_size = sizeof(*req_payload) + size;
if (size < 1 || size > U32_MAX)
if (size < 1 || size > (U32_MAX - sizeof(*req_payload)))
return -EINVAL;
req_payload = kzalloc(req_payload_size, GFP_KERNEL);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment