diff options
| author | Somasundaram S <somasundaram@nvidia.com> | 2016-03-10 17:33:11 +0530 |
|---|---|---|
| committer | Matthew Pedro <mapedro@nvidia.com> | 2016-03-16 09:36:37 -0700 |
| commit | 6458d55f01d9256959b13ea5791067407b82ed20 (patch) | |
| tree | 6a8b60cea39f18b66b9f4fdc6edccaf764e6231b | |
| parent | 5c8ffda63151d70390f10e8c9d111baafc786fda (diff) | |
media: tegra: nvavp: Fix heap overflow
Increase NVAVP_MAX_RELOCATION_COUNT to max. possible value
and add check to return error if num_relocs in
nvavp_pushbuffer_submit_ioctl exceeds
NVAVP_MAX_RELOCATION_COUNT
Bug 1739930
Change-Id: Ief36cedd692aa53135fc6a0039b19f18609259dd
Signed-off-by: Somasundaram S <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1030885
Tested-by: Somu Sundaram <somasundarams@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
| -rw-r--r-- | drivers/media/platform/tegra/nvavp/nvavp_dev.c | 8 | ||||
| -rw-r--r-- | include/linux/tegra_nvavp.h | 4 |
2 files changed, 9 insertions, 3 deletions
diff --git a/drivers/media/platform/tegra/nvavp/nvavp_dev.c b/drivers/media/platform/tegra/nvavp/nvavp_dev.c index 2411626326ec..089e14a5ff96 100644 --- a/drivers/media/platform/tegra/nvavp/nvavp_dev.c +++ b/drivers/media/platform/tegra/nvavp/nvavp_dev.c @@ -1,7 +1,7 @@ /* * drivers/media/video/tegra/nvavp/nvavp_dev.c * - * Copyright (c) 2011-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2016, NVIDIA CORPORATION. All rights reserved. * * This file is licensed under the terms of the GNU General Public License * version 2. This program is licensed "as is" without any warranty of any @@ -1525,6 +1525,12 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd, if (!hdr.cmdbuf.mem) return 0; + if (hdr.num_relocs > NVAVP_MAX_RELOCATION_COUNT) { + dev_err(&nvavp->nvhost_dev->dev, + "invalid num_relocs %d\n", hdr.num_relocs); + return -EINVAL; + } + if (copy_from_user(clientctx->relocs, (void __user *)hdr.relocs, sizeof(struct nvavp_reloc) * hdr.num_relocs)) { return -EFAULT; diff --git a/include/linux/tegra_nvavp.h b/include/linux/tegra_nvavp.h index 7862e9b2a2d5..5596b291418c 100644 --- a/include/linux/tegra_nvavp.h +++ b/include/linux/tegra_nvavp.h @@ -1,7 +1,7 @@ /* * include/linux/tegra_nvavp.h * - * Copyright (c) 2012-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2012-2016, NVIDIA CORPORATION. All rights reserved. * * This file is licensed under the terms of the GNU General Public License * version 2. This program is licensed "as is" without any warranty of any @@ -14,7 +14,7 @@ #include <linux/ioctl.h> #include <linux/types.h> -#define NVAVP_MAX_RELOCATION_COUNT 64 +#define NVAVP_MAX_RELOCATION_COUNT 65 /* avp submit flags */ #define NVAVP_FLAG_NONE 0x00000000 |