diff options
author | Alex Elder <elder@linaro.org> | 2018-06-26 02:58:53 +0200 |
---|---|---|
committer | Andy Gross <andy.gross@linaro.org> | 2018-09-13 23:57:06 +0200 |
commit | 380dc4af50a61eaa8b749fac2e7e40ebf92079aa (patch) | |
tree | 1f059f1d290f087b858eef9d27b812dbf0932519 /drivers/soc | |
parent | soc: qcom: smem: verify partition header size (diff) | |
download | linux-380dc4af50a61eaa8b749fac2e7e40ebf92079aa.tar.xz linux-380dc4af50a61eaa8b749fac2e7e40ebf92079aa.zip |
soc: qcom: smem: verify partition offset_free_uncached
Add verification in qcom_smem_partition_header() that the
offset_free_uncached field in a partition's header structure does
not exceed the partition's size.
Signed-off-by: Alex Elder <elder@linaro.org>
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Diffstat (limited to 'drivers/soc')
-rw-r--r-- | drivers/soc/qcom/smem.c | 21 |
1 files changed, 7 insertions, 14 deletions
diff --git a/drivers/soc/qcom/smem.c b/drivers/soc/qcom/smem.c index efaeec4a0395..a94888c26e18 100644 --- a/drivers/soc/qcom/smem.c +++ b/drivers/soc/qcom/smem.c @@ -751,6 +751,12 @@ qcom_smem_partition_header(struct qcom_smem *smem, return NULL; } + if (le32_to_cpu(header->offset_free_uncached) > size) { + dev_err(smem->dev, "bad partition free uncached (%u > %u)\n", + le32_to_cpu(header->offset_free_uncached), size); + return NULL; + } + return header; } @@ -759,7 +765,7 @@ static int qcom_smem_set_global_partition(struct qcom_smem *smem) struct smem_partition_header *header; struct smem_ptable_entry *entry; struct smem_ptable *ptable; - u32 host0, host1, size; + u32 host0, host1; bool found = false; int i; @@ -804,13 +810,6 @@ static int qcom_smem_set_global_partition(struct qcom_smem *smem) return -EINVAL; } - size = le32_to_cpu(header->offset_free_uncached); - if (size > le32_to_cpu(header->size)) { - dev_err(smem->dev, - "Global partition has invalid free pointer\n"); - return -EINVAL; - } - smem->global_partition = header; smem->global_cacheline = le32_to_cpu(entry->cacheline); @@ -874,12 +873,6 @@ static int qcom_smem_enumerate_partitions(struct qcom_smem *smem, return -EINVAL; } - if (le32_to_cpu(header->offset_free_uncached) > le32_to_cpu(header->size)) { - dev_err(smem->dev, - "Partition %d has invalid free pointer\n", i); - return -EINVAL; - } - smem->partitions[remote_host] = header; smem->cacheline[remote_host] = le32_to_cpu(entry->cacheline); } |