Re: [PATCH] misc: fastrpc: keep copied arguments inside the invoke buffer

Next message: Pengpeng Hou: "[PATCH] Bluetooth: btintel_pcie: validate completion ring indices"
Previous message: Deng, Pan: "RE: [PATCH v2 1/4] sched/rt: Optimize cpupri_vec layout to mitigate cache line contention"
Next in thread: Pengpeng Hou: "Re: [PATCH] misc: fastrpc: keep copied arguments inside the invoke buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Konrad Dybcio

Date: Tue Mar 24 2026 - 05:42:11 EST

On 3/24/26 2:44 AM, Pengpeng Hou wrote:
> fastrpc_get_args() derives rpra[i].buf.pv from the overlap offset that
> was computed from user-controlled argument pointers and lengths. The
> resulting destination pointer is then used for copy_from_user() without
> first checking that it still falls inside the allocated invoke buffer.
>
> Validate the overlap-derived destination range before storing it in
> rpra[i].buf.pv and before copying inline arguments into the invoke
> buffer.
> ---

Your contribution lacks a DCO:

https://docs.kernel.org/process/submitting-patches.html#sign-your-work-the-developer-s-certificate-of-origin

without which we can't accept it.

Please run ./scripts/checkpatch.pl on the patch file

Konrad