diff options
author | Sagar Kadamati <skadamati@nvidia.com> | 2016-12-06 11:38:01 +0530 |
---|---|---|
committer | Winnie Hsu <whsu@nvidia.com> | 2017-05-25 13:04:22 -0700 |
commit | ea316a2ba8c8504069b73b8782a5ca3e34283a9e (patch) | |
tree | c1e05bf99fb5d9bef75814e76bf57b654e761097 /drivers/video | |
parent | 98114fbc47ae84c1cd7f67ef6a0fed818adff2e6 (diff) |
video: tegra: nvmap: Fix OOB vulnerability
Check all pages' parameters before reserve pages.
Bug 1883463
Bug 1831426
Bug 200247013
Manual port: http://git-psac/r/9287
(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)
Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Signed-off-by: Xia Yang <xiay@nvidia.com>
Signed-off-by: Sagar Kadamati <skadamati@nvidia.com>
Reviewed-on: http://git-master/r/1273326
Reviewed-on: http://git-master/r/1488769
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Diffstat (limited to 'drivers/video')
-rw-r--r-- | drivers/video/tegra/nvmap/nvmap_mm.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/video/tegra/nvmap/nvmap_mm.c b/drivers/video/tegra/nvmap/nvmap_mm.c index 30994e681121..fbf510081be7 100644 --- a/drivers/video/tegra/nvmap/nvmap_mm.c +++ b/drivers/video/tegra/nvmap/nvmap_mm.c @@ -235,6 +235,15 @@ int nvmap_reserve_pages(struct nvmap_handle **handles, u32 *offsets, u32 *sizes, { int i; + /* validates all page params first */ + for (i = 0; i < nr; i++) { + u32 size = sizes[i] ? sizes[i] : handles[i]->size; + u32 offset = sizes[i] ? offsets[i] : 0; + + if ((offset != 0) || (size != handles[i]->size)) + return -EINVAL; + } + for (i = 0; i < nr; i++) { u32 size = sizes[i] ? sizes[i] : handles[i]->size; u32 offset = sizes[i] ? offsets[i] : 0; |