FastRPC keeps invoke and mmap buffer sizes in u64 fields, but coherent DMA allocation takes a size_t. On 32-bit builds, a size above SIZE_MAX can be truncated before allocation while the larger value is still used in the message sent to the DSP.
Reject sizes that cannot fit in size_t before allocating the DMA buffer. Also make the inline payload alignment step overflow-aware so a near-U64_MAX accumulator cannot wrap before the later bounds checks. Signed-off-by: Yousef Alhouseen <[email protected]> --- drivers/misc/fastrpc.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index bfdf8ab6a..8992b5c0c 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -437,6 +437,9 @@ static int __fastrpc_buf_alloc(struct fastrpc_user *fl, struct device *dev, { struct fastrpc_buf *buf; + if (size > SIZE_MAX) + return -EOVERFLOW; + buf = kzalloc_obj(*buf); if (!buf) return -ENOMEM; @@ -1035,8 +1038,14 @@ static int fastrpc_get_payload_size(struct fastrpc_invoke_ctx *ctx, int metalen, u64 len = ctx->olaps[oix].mend - ctx->olaps[oix].mstart; - if (ctx->olaps[oix].offset == 0) - size = ALIGN(size, FASTRPC_ALIGN); + if (ctx->olaps[oix].offset == 0) { + u64 aligned; + + if (check_add_overflow(size, FASTRPC_ALIGN - 1, + &aligned)) + return -EOVERFLOW; + size = aligned & ~(FASTRPC_ALIGN - 1); + } if (check_add_overflow(size, len, &size)) return -EOVERFLOW; -- 2.54.0
