Add verification in qcom_smem_partition_header() that the offset_free_uncached field in a partition's header structure does not exceed the partition's size.
Signed-off-by: Alex Elder <[email protected]> --- drivers/soc/qcom/smem.c | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/drivers/soc/qcom/smem.c b/drivers/soc/qcom/smem.c index 95d218d3a595..f5d7af1623a9 100644 --- a/drivers/soc/qcom/smem.c +++ b/drivers/soc/qcom/smem.c @@ -755,6 +755,12 @@ qcom_smem_partition_header(struct qcom_smem *smem, return NULL; } + if (le32_to_cpu(header->offset_free_uncached) > size) { + dev_err(smem->dev, "bad partition free uncached (%u > %u)\n", + le32_to_cpu(header->offset_free_uncached), size); + return NULL; + } + return header; } @@ -763,7 +769,7 @@ static int qcom_smem_set_global_partition(struct qcom_smem *smem) struct smem_partition_header *header; struct smem_ptable_entry *entry; struct smem_ptable *ptable; - u32 host0, host1, size; + u32 host0, host1; bool found = false; int i; @@ -803,13 +809,6 @@ static int qcom_smem_set_global_partition(struct qcom_smem *smem) return -EINVAL; } - size = le32_to_cpu(header->offset_free_uncached); - if (size > le32_to_cpu(header->size)) { - dev_err(smem->dev, - "Global partition has invalid free pointer\n"); - return -EINVAL; - } - smem->global_partition = header; smem->global_cacheline = le32_to_cpu(entry->cacheline); @@ -873,12 +872,6 @@ static int qcom_smem_enumerate_partitions(struct qcom_smem *smem, return -EINVAL; } - if (le32_to_cpu(header->offset_free_uncached) > le32_to_cpu(header->size)) { - dev_err(smem->dev, - "Partition %d has invalid free pointer\n", i); - return -EINVAL; - } - smem->partitions[remote_host] = header; smem->cacheline[remote_host] = le32_to_cpu(entry->cacheline); } -- 2.17.1
