DivestOS/Patches/Linux_CVEs/CVE-2016-2468/ANY/0.patch

45 lines
1.5 KiB
Diff
Raw Normal View History

From b5eb67744215b3434a36b9251e28da3dc2a638a6 Mon Sep 17 00:00:00 2001
From: Rajesh Kemisetti <rajeshk@codeaurora.org>
Date: Mon, 9 May 2016 22:12:20 +0530
Subject: msm: kgsl: Add missing checks for alloc size and sglen
In _kgsl_sharedmem_page_alloc(), check for boundary limits
of requested alloc size before honoring and make sure sglen
is greater than zero before marking it as end of sg list.
Change-Id: I8b9e225e515a0f31593df6f4cad253236475d0ae
Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
---
drivers/gpu/msm/kgsl_sharedmem.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/msm/kgsl_sharedmem.c b/drivers/gpu/msm/kgsl_sharedmem.c
index 079b9ff..98f634d 100644
--- a/drivers/gpu/msm/kgsl_sharedmem.c
+++ b/drivers/gpu/msm/kgsl_sharedmem.c
@@ -609,6 +609,10 @@ _kgsl_sharedmem_page_alloc(struct kgsl_memdesc *memdesc,
unsigned int align;
int step = ((VMALLOC_END - VMALLOC_START)/8) >> PAGE_SHIFT;
+ size = PAGE_ALIGN(size);
+ if (size == 0 || size > UINT_MAX)
+ return -EINVAL;
+
align = (memdesc->flags & KGSL_MEMALIGN_MASK) >> KGSL_MEMALIGN_SHIFT;
page_size = get_page_size(size, align);
@@ -712,7 +716,9 @@ _kgsl_sharedmem_page_alloc(struct kgsl_memdesc *memdesc,
memdesc->sglen = sglen;
memdesc->size = size;
- sg_mark_end(&memdesc->sg[sglen - 1]);
+
+ if (sglen > 0)
+ sg_mark_end(&memdesc->sg[sglen - 1]);
/*
* All memory that goes to the user has to be zeroed out before it gets
--
cgit v1.1