video: tegra: nvmap: Fix OOB vulnerability

Check all pages' parameters before reserve pages.

Bug 1883463
Bug 1831426
Bug 200247013

Manual port: http://git-psac/r/9287

(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)

Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Signed-off-by: Xia Yang <xiay@nvidia.com>
Signed-off-by: Sagar Kadamati <skadamati@nvidia.com>
Reviewed-on: http://git-master/r/1273326
Reviewed-on: http://git-master/r/1488769
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

1 files changed, 9 insertions, 0 deletions

diff --git a/drivers/video/tegra/nvmap/nvmap_mm.c b/drivers/video/tegra/nvmap/nvmap_mm.c
index 30994e681121..fbf510081be7 100644
--- a/drivers/video/tegra/nvmap/nvmap_mm.c
+++ b/drivers/video/tegra/nvmap/nvmap_mm.c
@@ -235,6 +235,15 @@ int nvmap_reserve_pages(struct nvmap_handle **handles, u32 *offsets, u32 *sizes,
 {
 	int i;
 
+	/* validates all page params first */
+	for (i = 0; i < nr; i++) {
+		u32 size = sizes[i] ? sizes[i] : handles[i]->size;
+		u32 offset = sizes[i] ? offsets[i] : 0;
+
+		if ((offset != 0) || (size != handles[i]->size))
+			return -EINVAL;
+	}
+
 	for (i = 0; i < nr; i++) {
 		u32 size = sizes[i] ? sizes[i] : handles[i]->size;
 		u32 offset = sizes[i] ? offsets[i] : 0;