From nobody Fri Apr 3 10:19:52 2026 Received: from cstnet.cn (smtp25.cstnet.cn [159.226.251.25]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5FF723ED5CF; Tue, 24 Mar 2026 11:45:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.25 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774352732; cv=none; b=rmqt+2/WuklxWK+NaUWD3YLlTh9kIq0E0SKeMC63UN91kXy8z2a+/J31SEx6i3GxbHlWCBiwfaBvdPPI9zbNWJi9lr6CSZ3vQZhwbva9o2uyx+4Rx/zJmgtUdoQ6MUtykbl+8G2AOZ8j0OPRxBuBlo4T3qHWw5WudkSgwx0zIK4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774352732; c=relaxed/simple; bh=kANe2RExJa5fW0q4VTFhcx+Us10jEBNsK/g+oNvG0gQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=e3Dmt5Hf0rIY5F8tCzlb9+LsRWRbcUVI6LyGMxJe2ygiLyKVM5A1wU0s1nfIjiHvZOgGUSn93NRsPB9XvDeGd0tvHWBxyOHbQdALdCOLBytDeqwSCA9fLqADNhpi5L60OuE/WvkObUX+f/br0VnVvJBdtC1l2WxKE0s1Y0BpTnU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.197]) by APP-05 (Coremail) with SMTP id zQCowADndgpKecJpRaFUCw--.54020S2; Tue, 24 Mar 2026 19:45:14 +0800 (CST) From: Pengpeng Hou To: srini@kernel.org, amahesh@qti.qualcomm.com, arnd@arndb.de, gregkh@linuxfoundation.org Cc: konradybcio@kernel.org, thierry.escande@linaro.org, linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn Subject: [PATCH v2] misc: fastrpc: validate overlap-derived invoke buffer ranges Date: Tue, 24 Mar 2026 19:45:14 +0800 Message-ID: <20260324114514.79392-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260324014459.93364-1-pengpeng@iscas.ac.cn> References: <20260324014459.93364-1-pengpeng@iscas.ac.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: zQCowADndgpKecJpRaFUCw--.54020S2 X-Coremail-Antispam: 1UD129KBjvJXoWxZryxCw4DKFWruw48JFWDArb_yoW5GFyfpF 43Ka15CF45Xw47GF1vvFnrWryfGws5JryUGrZ3G34Svw1YqFy0qF9YkFWj93W0krWIvryj krs0qaya9F47JaUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9014x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26r4j6ryUM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j 6F4UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s 0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xII jxv20xvE14v26r106r15McIj6I8E87Iv67AKxVW8JVWxJwAm72CE4IkC6x0Yz7v_Jr0_Gr 1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF7I0E8cxa n2IY04v7MxkF7I0En4kS14v26r1q6r43MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4 AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE 17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMI IF0xvE2Ix0cI8IcVCY1x0267AKxVWUJVW8JwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4l IxAIcVC2z280aVAFwI0_Gr0_Cr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIda VFxhVjvjDU0xZFpf9x0JUQZ2fUUUUU= X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" fastrpc_get_args() derives rpra[i].buf.pv from the overlap offset that was computed from user-controlled argument pointers and lengths. The resulting destination pointer is later passed to copy_from_user() or memcpy() without checking that the overlap-adjusted range still stays inside the allocated invoke buffer. Reject overlap-derived destinations that would point before the start of the invoke buffer or that would extend past the end of the allocated packet before storing rpra[i].buf.pv and before copying inline arguments into the buffer. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Found by static code analysis. Signed-off-by: Pengpeng Hou --- v2: - add the missing Signed-off-by line - add a Fixes tag and note that the issue was found by static code analysis - run checkpatch and keep the patch checkpatch-clean drivers/misc/fastrpc.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 47356a5d5804..7dfb5eb6dc92 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -993,6 +993,7 @@ static int fastrpc_get_args(u32 kernel, struct fastrpc_= invoke_ctx *ctx) u64 len, rlen, pkt_size; u64 pg_start, pg_end; uintptr_t args; + uintptr_t buf_start, buf_end; int metalen; =20 inbufs =3D REMOTE_SCALARS_INBUFS(ctx->sc); @@ -1016,6 +1017,8 @@ static int fastrpc_get_args(u32 kernel, struct fastrp= c_invoke_ctx *ctx) rpra =3D ctx->buf->virt; list =3D fastrpc_invoke_buf_start(rpra, ctx->nscalars); pages =3D fastrpc_phy_page_start(list, ctx->nscalars); + buf_start =3D (uintptr_t)ctx->buf->virt; + buf_end =3D buf_start + pkt_size; args =3D (uintptr_t)ctx->buf->virt + metalen; rlen =3D pkt_size - metalen; ctx->rpra =3D rpra; @@ -1053,6 +1056,7 @@ static int fastrpc_get_args(u32 kernel, struct fastrp= c_invoke_ctx *ctx) pages[i].size =3D (pg_end - pg_start + 1) * PAGE_SIZE; =20 } else { + uintptr_t dst; =20 if (ctx->olaps[oix].offset =3D=3D 0) { rlen -=3D ALIGN(args, FASTRPC_ALIGN) - args; @@ -1064,7 +1068,18 @@ static int fastrpc_get_args(u32 kernel, struct fastr= pc_invoke_ctx *ctx) if (rlen < mlen) goto bail; =20 - rpra[i].buf.pv =3D args - ctx->olaps[oix].offset; + if (ctx->olaps[oix].offset > args - buf_start) { + err =3D -EINVAL; + goto bail; + } + + dst =3D args - ctx->olaps[oix].offset; + if (len > buf_end - dst) { + err =3D -EINVAL; + goto bail; + } + + rpra[i].buf.pv =3D dst; pages[i].addr =3D ctx->buf->dma_addr - ctx->olaps[oix].offset + (pkt_size - rlen); --=20 2.50.1 (Apple Git-155)