tmakin/ack-tegra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ANDROID: ashmem_rust: return EINVAL on offset > size

Browse Source 
When calling a pin ioctl with an offset greater than the size of the
ashmem region, an integer underflow occurs. To fix that, return EINVAL
in this scenario.

Bug: 427377651
Change-Id: Ia85732374c2fa4155bcb4c347184e4c1d2bca965
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
This commit is contained in:
Alice Ryhl
2025-06-24 09:25:20 +00:00
committed by Isaac Manjarres
parent d7b077d5e1
commit 94ce385c22
1 changed files with 5 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
drivers/staging/android/ashmem_rust.rs
View File

@@ -415,18 +415,17 @@ impl Ashmem {
None => return Err(EINVAL),
};
let max_size = page_align(asma.size);
let remaining = max_size.checked_sub(offset).ok_or(EINVAL)?;
// Per custom, you can pass zero for len to mean "everything onward".
let len = if cmd_len == 0 {
page_align(asma.size) - offset
} else {
cmd_len
};
let len = if cmd_len == 0 { remaining } else { cmd_len };
if (offset | len) & !PAGE_MASK != 0 {
return Err(EINVAL);
}
let len_plus_offset = offset.checked_add(len).ok_or(EINVAL)?;
if page_align(asma.size) < len_plus_offset {
if max_size < len_plus_offset {
return Err(EINVAL);
}