diff options
| author | Deepak Nibade <dnibade@nvidia.com> | 2016-06-27 14:03:15 +0530 |
|---|---|---|
| committer | Winnie Hsu <whsu@nvidia.com> | 2016-07-28 22:58:59 -0700 |
| commit | bc15da6c6fc2f50109e866fe053b035721a23c3a (patch) | |
| tree | 017a46a77372e2a9d064bfa53b7fc92675b28587 /drivers | |
| parent | 9a1e9a92e975274f4b3507922b7ab4805defe975 (diff) | |
video: tegra: host: fix possible overflow with num_syncpt_incrs
We allocate below without checking if num_syncpt_incrs
is valid or not
struct nvhost_ctrl_sync_fence_info pts[num_syncpt_incrs];
If UMD passes a negative value in num_syncpt_incrs, then
it is possible to corrupt the stack
Hence, first check if num_syncpt_incrs is valid (i.e.
not negative)
And then allocate the array dynamically using kzalloc
instead of allocating it on stack
Bug 1781393
Change-Id: I5389fd271149b457f63831a41c104c9814299ddf
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1171747
(cherry picked from commit 07fb347b4060a888b19df3524f36fcf7974a79d1)
Reviewed-on: http://git-master/r/1172518
(cherry picked from commit 1db2d69b6abeb6fc9d4257db88f631d9c8aef74d)
Reviewed-on: http://git-master/r/1190211
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
Tested-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/video/tegra/host/bus_client.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/drivers/video/tegra/host/bus_client.c b/drivers/video/tegra/host/bus_client.c index 2bf11ed426c0..fb37a9e06ab3 100644 --- a/drivers/video/tegra/host/bus_client.c +++ b/drivers/video/tegra/host/bus_client.c @@ -402,6 +402,9 @@ static int nvhost_ioctl_channel_submit(struct nvhost_channel_userctx *ctx, if (num_syncpt_incrs > host->info.nb_pts) return -EINVAL; + if (num_cmdbufs < 0 || num_syncpt_incrs < 0) + return -EINVAL; + job = nvhost_job_alloc(ctx->ch, ctx->hwctx, num_cmdbufs, @@ -580,7 +583,15 @@ static int nvhost_ioctl_channel_submit(struct nvhost_channel_userctx *ctx, * syncpoint is used. */ if (args->flags & BIT(NVHOST_SUBMIT_FLAG_SYNC_FENCE_FD)) { - struct nvhost_ctrl_sync_fence_info pts[num_syncpt_incrs]; + struct nvhost_ctrl_sync_fence_info *pts; + + pts = kzalloc(num_syncpt_incrs * + sizeof(struct nvhost_ctrl_sync_fence_info), + GFP_KERNEL); + if (!pts) { + err = -ENOMEM; + goto fail; + } for (i = 0; i < num_syncpt_incrs; i++) { pts[i].id = job->sp[i].id; @@ -589,6 +600,7 @@ static int nvhost_ioctl_channel_submit(struct nvhost_channel_userctx *ctx, err = nvhost_sync_create_fence_fd(ctx->ch->dev, pts, num_syncpt_incrs, "fence", &args->fence); + kfree(pts); if (err) goto fail; } else if (num_syncpt_incrs == 1) |