From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 25EDD374A03; Wed, 1 Jul 2026 20:05:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782936342; cv=none; b=VTxCIabHxS1ZcvULGbFMaUBdiyz6U/17ma8/9WrSN6EyPNPkNRQH2yV05HTkGlN5zfdy2ImV2fxtVBpW6J+GBt+UdMBN9jL8ibYu7xnI+GXiaOm0ZQt9zTgvNOTjaoKJv0gpFRQB7WMR21dYuSUYagly6WaBVuODRm81wpfmhHo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782936342; c=relaxed/simple; bh=ulxgbENz4oihKoctbm58668XFEp1rf1BSQNovLiRYoE=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=DBlx8VHjzFXZaFWhx5rnAQTGx9K9sUSH4uPs6y1SgoIglXQdMyKwxZRWegX5aDHJrZKMZoarCfZ10naE8OQvvwpVKssk0U6XGekkH58qpjdCBnBhA2KuefDqP7uP+7/pQ814SOxRFFOOHD7RQxbjW97y/vkvGuOX2Fh8ZPG/bJw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=CbVYFDl4; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="CbVYFDl4" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3E33A1F000E9; Wed, 1 Jul 2026 20:05:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1782936340; bh=g7/A390eY5J9OJzf+cYzH6TGGqISp3TPh1uGKzUtdKY=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=CbVYFDl4Shd272uwnCiHpQE1ttFBPprzn5qjetkapaoNjn5iNWiFmCLK1GtLc9av2 vIK63933K01L7Bza6tkk4xdRXCuhFrvKe1cOXCWgKO2ZR2Droc4143XPqph1crI5+v soVnzcks2sZOCwZwBZ1y6LmdB0DNCI4VzPfOf2YBaFm6tb8fZho/2ujsIv4gWGkgLw jlet6LVoU/9Amn0GXS+BRTm2IOSwN2bOAqq8NBlOLn0riWiyOAkzljqSbEH1qgxeXB UmlfKSgrW0nFTAEZ3bGaaeDXlxrBkC3ygQpSuOJZgiC8/PDJ0JcghWFKp+tKYh6ko/ EWHV451NN+b/A== Message-ID: Date: Wed, 1 Jul 2026 21:05:37 +0100 Precedence: bulk X-Mailing-List: linux-arm-msm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] misc: fastrpc: reject overflowing invoke buffer ranges To: Yousef Alhouseen , Srinivas Kandagatla , Amol Maheshwari Cc: Arnd Bergmann , Greg Kroah-Hartman , linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Ekansh Gupta References: <20260624174410.6074-1-alhouseenyousef@gmail.com> Content-Language: en-US From: Srinivas Kandagatla In-Reply-To: <20260624174410.6074-1-alhouseenyousef@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 6/24/26 6:44 PM, Yousef Alhouseen wrote: > fastrpc_get_buff_overlaps() builds end addresses from user ranges. > > A wrapped end can understate the payload size. > > It can also feed bad ranges into the invoke metadata. > > Reject invoke buffers whose pointer plus length overflows. > > Signed-off-by: Yousef Alhouseen You have sent 11 patches independently, I would prefer it to be sent as single series. Are these patches fixing anything that your usecases are hitting? Have you looked at the patches in the mailing list which fixes some of these issues? Or Is AI generating these patches ? --srini > --- > drivers/misc/fastrpc.c | 18 +++++++++++++++--- > 1 file changed, 15 insertions(+), 3 deletions(-) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index f3a493845..ba4ade874 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -13,6 +13,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -607,14 +608,17 @@ static int olaps_cmp(const void *a, const void *b) > return st == 0 ? ed : st; > } > > -static void fastrpc_get_buff_overlaps(struct fastrpc_invoke_ctx *ctx) > +static int fastrpc_get_buff_overlaps(struct fastrpc_invoke_ctx *ctx) > { > u64 max_end = 0; > int i; > > for (i = 0; i < ctx->nbufs; ++i) { > ctx->olaps[i].start = ctx->args[i].ptr; > - ctx->olaps[i].end = ctx->olaps[i].start + ctx->args[i].length; > + if (check_add_overflow(ctx->olaps[i].start, > + ctx->args[i].length, > + &ctx->olaps[i].end)) > + return -EOVERFLOW; > ctx->olaps[i].raix = i; > } > > @@ -641,6 +645,8 @@ static void fastrpc_get_buff_overlaps(struct fastrpc_invoke_ctx *ctx) > max_end = ctx->olaps[i].end; > } > } > + > + return 0; > } > > static struct fastrpc_invoke_ctx *fastrpc_context_alloc( > @@ -675,7 +681,13 @@ static struct fastrpc_invoke_ctx *fastrpc_context_alloc( > return ERR_PTR(-ENOMEM); > } > ctx->args = args; > - fastrpc_get_buff_overlaps(ctx); > + ret = fastrpc_get_buff_overlaps(ctx); > + if (ret) { > + kfree(ctx->olaps); > + kfree(ctx->maps); > + kfree(ctx); > + return ERR_PTR(ret); > + } > } > > /* Released in fastrpc_context_put() */