DivestOS/Patches/Linux_CVEs-New/CVE-2016-2468/ANY/1.patch
2017-10-29 14:23:02 -04:00

37 lines
5.0 KiB
Diff

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Diff - eb6cc9d4af6791d4d34075e3fa08f0c858087a8c^! - kernel/msm.git - Git at Google</title><link rel="stylesheet" type="text/css" href="/+static/base.HLL9TqKl0YYybSzmT_wTdw.cache.css"><!-- default customHeadTagPart --></head><body class="Site"><header class="Site-header"><div class="Header"><a class="Header-image" href="/"><img src="//www.gstatic.com/images/branding/lockups/2x/lockup_git_color_108x24dp.png" width="108" height="24" alt="Google Git"></a><div class="Header-menu"> <a class="Header-menuItem" href="https://accounts.google.com/AccountChooser?service=gerritcodereview&amp;continue=https://android.googlesource.com/login/kernel/msm.git/%2B/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c%255E%2521/">Sign in</a> </div></div></header><div class="Site-content"><div class="Container "><div class="Breadcrumbs"><a class="Breadcrumbs-crumb" href="/?format=HTML">android</a> / <a class="Breadcrumbs-crumb" href="/kernel/">kernel</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm.git/">msm.git</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c%5E%21/">eb6cc9d4af6791d4d34075e3fa08f0c858087a8c^!</a> / <span class="Breadcrumbs-crumb">.</span></div><div class="u-monospace Metadata"><table><tr><th class="Metadata-title">commit</th><td>eb6cc9d4af6791d4d34075e3fa08f0c858087a8c</td><td><span>[<a href="/kernel/msm.git/+log/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c/">log</a>]</span> <span>[<a href="/kernel/msm.git/+archive/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c/.tar.gz">tgz</a>]</span></td></tr><tr><th class="Metadata-title">author</th><td>Rajesh Kemisetti &lt;rajeshk@codeaurora.org&gt;</td><td>Tue Apr 19 15:42:12 2016 -0700</td></tr><tr><th class="Metadata-title">committer</th><td>Yuan Lin &lt;yualin@google.com&gt;</td><td>Tue Apr 19 22:46:09 2016 +0000</td></tr><tr><th class="Metadata-title">tree</th><td><a href="/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c/">e573a8e6012cf35a0adc0983182fa3b007645d98</a></td></tr><tr><th class="Metadata-title">parent</th><td><a href="/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c%5E">4029268991f478b98b6d37106af8f1f635c0b595</a> <span>[<a href="/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c%5E%21/">diff</a>]</span></td></tr></table></div><pre class="u-pre u-monospace MetadataMessage">msm: kgsl: Add missing checks for alloc size and sglen
In _kgsl_sharedmem_page_alloc():
- Make len of type size_t to be in line with size.
- Check for boundary limits of requested alloc size before honoring.
- Make sure sglen is greater than zero before marking it as end
of sg list.
Bug: 27475454
Change-Id: <a href="https://android-review.googlesource.com/#/q/I5b2e6f657f532fc256627cb6b2ab3ca01938a11b">I5b2e6f657f532fc256627cb6b2ab3ca01938a11b</a>
Signed-off-by: Yuan Lin &lt;yualin@google.com&gt;
</pre><pre class="u-pre u-monospace Diff"><a name="F0" class="Diff-fileIndex"></a>diff --git <a href="/kernel/msm.git/+/4029268991f478b98b6d37106af8f1f635c0b595/drivers/gpu/msm/kgsl_sharedmem.c">a/drivers/gpu/msm/kgsl_sharedmem.c</a> <a href="/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c/drivers/gpu/msm/kgsl_sharedmem.c">b/drivers/gpu/msm/kgsl_sharedmem.c</a>
index 29f6162..a138719 100644
--- a/drivers/gpu/msm/kgsl_sharedmem.c
+++ b/drivers/gpu/msm/kgsl_sharedmem.c
</pre><pre class="u-pre u-monospace Diff-unified"><span class="Diff-hunk">@@ -592,13 +592,18 @@
</span><span class="Diff-change"> size_t size)</span>
<span class="Diff-change"> {</span>
<span class="Diff-change"> int pcount = 0, order, ret = 0;</span>
<span class="Diff-delete">- int j, len, page_size, sglen_alloc, sglen = 0;</span>
<span class="Diff-insert">+ int j, page_size, sglen_alloc, sglen = 0;</span>
<span class="Diff-change"> struct page **pages = NULL;</span>
<span class="Diff-change"> pgprot_t page_prot = pgprot_writecombine(PAGE_KERNEL);</span>
<span class="Diff-change"> void *ptr;</span>
<span class="Diff-insert">+ size_t len;</span>
<span class="Diff-change"> unsigned int align;</span>
<span class="Diff-change"> int step = SZ_2M &gt;&gt; PAGE_SHIFT;</span>
<span class="Diff-change"> </span>
<span class="Diff-insert">+ size = PAGE_ALIGN(size);</span>
<span class="Diff-insert">+ if (size == 0 || size &gt; UINT_MAX)</span>
<span class="Diff-insert">+ return -EINVAL;</span>
<span class="Diff-insert">+</span>
<span class="Diff-change"> align = (memdesc-&gt;flags &amp; KGSL_MEMALIGN_MASK) &gt;&gt; KGSL_MEMALIGN_SHIFT;</span>
<span class="Diff-change"> </span>
<span class="Diff-change"> page_size = (align &gt;= ilog2(SZ_64K) &amp;&amp; size &gt;= SZ_64K)</span>
</pre></div> <!-- Container --></div> <!-- Site-content --><!-- default customFooter --><footer class="Site-footer"><div class="Footer"><span class="Footer-poweredBy">Powered by <a href="https://gerrit.googlesource.com/gitiles/">Gitiles</a></span><span class="Footer-formats"><a class="u-monospace Footer-formatsItem" href="?format=TEXT">txt</a> <a class="u-monospace Footer-formatsItem" href="?format=JSON">json</a></span></div></footer></body></html>