DivestOS/Patches/Linux_CVEs/CVE-2017-8281/3.18/0001.patch
2017-11-07 17:32:46 -05:00

41 lines
1.4 KiB
Diff

From 9be5b16de622c2426408425e3df29e945cd21d37 Mon Sep 17 00:00:00 2001
From: Kasin Li <donglil@codeaurora.org>
Date: Wed, 22 Feb 2017 18:25:36 +0800
Subject: drm/msm: Fix potential buffer overflow issue
In function submit_create, if nr_cmds or nr_bos is assigned with
negative value, the allocated buffer may be small than intended.
Using this buffer will lead to buffer overflow issue.
Change-Id: I0b61cccffd836e2dd3c859446470af4b6451b9ed
Signed-off-by: Kasin Li <donglil@codeaurora.org>
---
drivers/gpu/drm/msm/msm_gem_submit.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index adbb0cb..fa9b641 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -34,12 +34,15 @@ static inline void __user *to_user_ptr(u64 address)
}
static struct msm_gem_submit *submit_create(struct drm_device *dev,
- struct msm_gpu *gpu, int nr_cmds, int nr_bos)
+ struct msm_gpu *gpu, uint32_t nr_cmds, uint32_t nr_bos)
{
struct msm_gem_submit *submit;
- int sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
+ uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
(nr_cmds * sizeof(submit->cmd[0]));
+ if (sz > SIZE_MAX)
+ return NULL;
+
submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
if (submit) {
submit->dev = dev;
--
cgit v1.1