From f555e9e4ad112c390f3f26674558276f5210deff Mon Sep 17 00:00:00 2001
From: Manoj Prabhu B <quic_bmanoj@quicinc.com>
Date: Mon, 9 Oct 2023 12:32:30 +0530
Subject: [PATCH] memshare: Prevent possible integer overflow

Prevent possible integer overflow by sanitizing the alloc request
size coming from the client against allottable amount of memory.

Change-Id: I74cb0f7b0808f20299586969fd5c810d44c3e576
Signed-off-by: Manoj Prabhu B <quic_bmanoj@quicinc.com>
Signed-off-by: Madhab Sharma <quic_madhshar@quicinc.com>
---
 drivers/soc/qcom/memshare/msm_memshare.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/soc/qcom/memshare/msm_memshare.c b/drivers/soc/qcom/memshare/msm_memshare.c
index 43ca69072932..aa747aa4e433 100644
--- a/drivers/soc/qcom/memshare/msm_memshare.c
+++ b/drivers/soc/qcom/memshare/msm_memshare.c
@@ -494,8 +494,12 @@ static void handle_alloc_generic_req(struct qmi_handle *handle,
 		}
 	}
 
-	if (!memblock[index].allotted) {
-		if (memblock[index].guard_band && alloc_req->num_bytes > 0)
+	if (!memblock[index].allotted && alloc_req->num_bytes > 0) {
+
+		if (alloc_req->num_bytes > memblock[index].init_size)
+			alloc_req->num_bytes = memblock[index].init_size;
+
+		if (memblock[index].guard_band)
 			size = alloc_req->num_bytes + MEMSHARE_GUARD_BYTES;
 		else
 			size = alloc_req->num_bytes;