diff options
author | Mahesh Kallelil <kallelil@google.com> | 2024-03-04 11:07:37 -0800 |
---|---|---|
committer | Mahesh Kallelil <kallelil@google.com> | 2024-03-05 22:12:37 +0000 |
commit | ff9c5a7cd59d14e78e8016010a272189cdfe01e0 (patch) | |
tree | 627a1a63c20f8d86e55ef8403be36775f1314db9 | |
parent | 5b865ae2443f8367220cc9e3cf2c8e3dd9e02743 (diff) | |
download | gs-android-gs-bluejay-5.10-android15-dp.tar.gz |
soc/google/cpif: Fix OOB write in rx_pktprocandroid-15-beta-1_r0.6android-15-beta-1_r0.4android-15-beta-1_r0.2android-15-beta-1_r0.1android-gs-tangorpro-5.10-android15-dpandroid-gs-tangorpro-5.10-android15-betaandroid-gs-pantah-5.10-android15-dpandroid-gs-pantah-5.10-android15-betaandroid-gs-felix-5.10-android15-dpandroid-gs-felix-5.10-android15-betaandroid-gs-bluejay-5.10-android15-dpandroid-gs-bluejay-5.10-android15-beta
The fore pointer is passed by CP using shared memory. Without an OOB
check for this, we risk an OOB access if the CP firmware gets compromised.
Bug: 321941700
Change-Id: I744d58fc54bfa5ac75575ba0921e269766d8a1c7
Signed-off-by: Mahesh Kallelil <kallelil@google.com>
-rw-r--r-- | drivers/soc/google/cpif/link_rx_pktproc.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/soc/google/cpif/link_rx_pktproc.c b/drivers/soc/google/cpif/link_rx_pktproc.c index 8768b718b759..db5e736a3667 100644 --- a/drivers/soc/google/cpif/link_rx_pktproc.c +++ b/drivers/soc/google/cpif/link_rx_pktproc.c @@ -414,6 +414,14 @@ static int pktproc_fill_data_addr_without_bm(struct pktproc_queue *q) fore = *q->fore_ptr; #endif + /* The fore pointer is passed by CP from shared memory. Check the + * range to avoid OOB access */ + if ((fore < 0) || (fore >= q->num_desc)) { + mif_err("Invalid fore_ptr (%d) passed by CP on queue(%d)!\n", + fore, q->q_idx); + return -EINVAL; + } + pp_debug("Q%d:%d/%d/%d\n", q->q_idx, fore, *q->rear_ptr, q->done_ptr); |