soc/google/cpif: Fix OOB write in rx_pktproc am: ff9c5a7cd5

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2757440 Change-Id: Ibaea75a814053e98211b01f4e779768947cfc2a5 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Mahesh Kallelil <kallelil@google.com> 2024-03-05 22:53:38 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2024-03-05 22:53:38 +0000
commit: 8052acdae8f7d501573ab7eed013ea9da003943b (patch)
tree: b7bd8ce5377d965d28db2656cda7aed045154b19
parent: 97c5e34862f9a5c236aae7e1ab9035da1569a675 (diff)
parent: ff9c5a7cd59d14e78e8016010a272189cdfe01e0 (diff)
download: gs-8052acdae8f7d501573ab7eed013ea9da003943b.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/soc/google/cpif/link_rx_pktproc.c b/drivers/soc/google/cpif/link_rx_pktproc.c
index 8768b718b759..db5e736a3667 100644
--- a/drivers/soc/google/cpif/link_rx_pktproc.c
+++ b/drivers/soc/google/cpif/link_rx_pktproc.c
@@ -414,6 +414,14 @@ static int pktproc_fill_data_addr_without_bm(struct pktproc_queue *q)
 	fore = *q->fore_ptr;
 #endif
 
+	/* The fore pointer is passed by CP from shared memory. Check the
+	 * range to avoid OOB access */
+	if ((fore < 0) || (fore >= q->num_desc)) {
+		mif_err("Invalid fore_ptr (%d) passed by CP on queue(%d)!\n",
+			fore, q->q_idx);
+		return -EINVAL;
+	}
+
 	pp_debug("Q%d:%d/%d/%d\n",
 			q->q_idx, fore, *q->rear_ptr, q->done_ptr);
author	Mahesh Kallelil <kallelil@google.com>	2024-03-05 22:53:38 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-03-05 22:53:38 +0000
commit	8052acdae8f7d501573ab7eed013ea9da003943b (patch)
tree	b7bd8ce5377d965d28db2656cda7aed045154b19
parent	97c5e34862f9a5c236aae7e1ab9035da1569a675 (diff)
parent	ff9c5a7cd59d14e78e8016010a272189cdfe01e0 (diff)
download	gs-8052acdae8f7d501573ab7eed013ea9da003943b.tar.gz