From 483683d4d217835945008297e7ebd7c60e6c7a10 Mon Sep 17 00:00:00 2001
From: Wedson Almeida Filho <wedsonaf@google.com>
Date: Wed, 9 Jun 2021 18:41:43 +0100
Subject: [PATCH] binder: Check for underflow when subtracting from
 user-provided value.

Signed-off-by: Wedson Almeida Filho <wedsonaf@google.com>
---
 drivers/android/process.rs | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/drivers/android/process.rs b/drivers/android/process.rs
index 30a057b45f5db1..79a7d7c18ce893 100644
--- a/drivers/android/process.rs
+++ b/drivers/android/process.rs
@@ -545,7 +545,7 @@ impl Process {
     pub(crate) fn buffer_get(&self, ptr: usize) -> Option<Allocation> {
         let mut inner = self.inner.lock();
         let mapping = inner.mapping.as_mut()?;
-        let offset = ptr - mapping.address;
+        let offset = ptr.checked_sub(mapping.address)?;
         let (size, odata) = mapping.alloc.reserve_existing(offset).ok()?;
         let mut alloc = Allocation::new(self, offset, size, ptr, mapping.pages.clone());
         if let Some(data) = odata {
@@ -557,12 +557,17 @@ impl Process {
     pub(crate) fn buffer_raw_free(&self, ptr: usize) {
         let mut inner = self.inner.lock();
         if let Some(ref mut mapping) = &mut inner.mapping {
-            if mapping
-                .alloc
-                .reservation_abort(ptr - mapping.address)
-                .is_err()
+            if ptr < mapping.address
+                || mapping
+                    .alloc
+                    .reservation_abort(ptr - mapping.address)
+                    .is_err()
             {
-                pr_warn!("Offset {} failed to free\n", ptr - mapping.address);
+                pr_warn!(
+                    "Pointer {:x} failed to free, base = {:x}\n",
+                    ptr,
+                    mapping.address
+                );
             }
         }
     }