mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 05:35:54 +00:00
41 lines
1.4 KiB
Diff
41 lines
1.4 KiB
Diff
From 9be5b16de622c2426408425e3df29e945cd21d37 Mon Sep 17 00:00:00 2001
|
|
From: Kasin Li <donglil@codeaurora.org>
|
|
Date: Wed, 22 Feb 2017 18:25:36 +0800
|
|
Subject: drm/msm: Fix potential buffer overflow issue
|
|
|
|
In function submit_create, if nr_cmds or nr_bos is assigned with
|
|
negative value, the allocated buffer may be small than intended.
|
|
Using this buffer will lead to buffer overflow issue.
|
|
|
|
Change-Id: I0b61cccffd836e2dd3c859446470af4b6451b9ed
|
|
Signed-off-by: Kasin Li <donglil@codeaurora.org>
|
|
---
|
|
drivers/gpu/drm/msm/msm_gem_submit.c | 7 +++++--
|
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
|
|
index adbb0cb..fa9b641 100644
|
|
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
|
|
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
|
|
@@ -34,12 +34,15 @@ static inline void __user *to_user_ptr(u64 address)
|
|
}
|
|
|
|
static struct msm_gem_submit *submit_create(struct drm_device *dev,
|
|
- struct msm_gpu *gpu, int nr_cmds, int nr_bos)
|
|
+ struct msm_gpu *gpu, uint32_t nr_cmds, uint32_t nr_bos)
|
|
{
|
|
struct msm_gem_submit *submit;
|
|
- int sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
|
|
+ uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
|
|
(nr_cmds * sizeof(submit->cmd[0]));
|
|
|
|
+ if (sz > SIZE_MAX)
|
|
+ return NULL;
|
|
+
|
|
submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
|
|
if (submit) {
|
|
submit->dev = dev;
|
|
--
|
|
cgit v1.1
|
|
|