Re: [PATCH v3 3/9] misc: fastrpc: Fix memory corruption in DSP capabilities

From: Dmitry Baryshkov
Date: Thu May 30 2024 - 07:00:40 EST


On Thu, May 30, 2024 at 03:50:21PM +0530, Ekansh Gupta wrote:
> DSP capabilities request is sending bad size to utilities skel
> call which is resulting in memory corruption. Pass proper size
> to avoid the corruption.
>
> Fixes: 6c16fd8bdd40 ("misc: fastrpc: Add support to get DSP capabilities")
> Cc: stable <stable@xxxxxxxxxx>
> Signed-off-by: Ekansh Gupta <quic_ekangupt@xxxxxxxxxxx>

Should be squashed to the previous commit.

> ---
> drivers/misc/fastrpc.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> index 61389795f498..3e1ab58038ed 100644
> --- a/drivers/misc/fastrpc.c
> +++ b/drivers/misc/fastrpc.c
> @@ -1695,6 +1695,7 @@ static int fastrpc_get_info_from_dsp(struct fastrpc_user *fl, uint32_t *dsp_attr
>
> /* Capability filled in userspace */
> dsp_attr_buf[0] = 0;
> + dsp_attr_buf_len -= 1;
>
> args[0].ptr = (u64)(uintptr_t)&dsp_attr_buf_len;
> args[0].length = sizeof(dsp_attr_buf_len);
> --
> 2.43.0
>

--
With best wishes
Dmitry