diff options
| author | Somu Sundaram <somasundaram@nvidia.com> | 2016-03-15 18:31:57 +0530 |
|---|---|---|
| committer | Matthew Pedro <mapedro@nvidia.com> | 2016-04-05 13:56:54 -0700 |
| commit | c87e60a0b17e565fee2f065a651cab849ae8335b (patch) | |
| tree | f65303a505dc86d4b74480eecd0cd7d23e7396b3 | |
| parent | 5d78423f5051ddf0b94ca26e9d1c2e9d3e83a939 (diff) | |
media: tegra: nvavp: Fix arbitrary kernel write
Add checks for command buffer offset, relocation
offset in command buffer and target offset for patching
relocation to prevent aritrary kernel write
Bug 1741516
Change-Id: Ia6183ca75f983c0ede23606be9e5d824aa5fa41d
Signed-off-by: Somu Sundaram <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1111699
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
GVS: Gerrit_Virtual_Submit
Tested-by: Somu Sundaram <somasundarams@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
| -rw-r--r-- | drivers/media/platform/tegra/nvavp/nvavp_dev.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/drivers/media/platform/tegra/nvavp/nvavp_dev.c b/drivers/media/platform/tegra/nvavp/nvavp_dev.c index 089e14a5ff96..f24b690131fa 100644 --- a/drivers/media/platform/tegra/nvavp/nvavp_dev.c +++ b/drivers/media/platform/tegra/nvavp/nvavp_dev.c @@ -1543,6 +1543,13 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd, return PTR_ERR(cmdbuf_dmabuf); } + if (hdr.cmdbuf.offset > cmdbuf_dmabuf->size) { + dev_err(&nvavp->nvhost_dev->dev, + "invalid cmdbuf offset %d\n", hdr.cmdbuf.offset); + ret = -EINVAL; + goto err_dmabuf_attach; + } + cmdbuf_attach = dma_buf_attach(cmdbuf_dmabuf, &nvavp->nvhost_dev->dev); if (IS_ERR(cmdbuf_attach)) { dev_err(&nvavp->nvhost_dev->dev, "cannot attach cmdbuf_dmabuf\n"); @@ -1580,6 +1587,14 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd, goto err_reloc_info; } + if (clientctx->relocs[i].cmdbuf_offset > cmdbuf_dmabuf->size) { + dev_err(&nvavp->nvhost_dev->dev, + "invalid reloc offset in cmdbuf %d\n", + clientctx->relocs[i].cmdbuf_offset); + ret = -EINVAL; + goto err_reloc_info; + } + reloc_addr = cmdbuf_data + (clientctx->relocs[i].cmdbuf_offset >> 2); @@ -1588,6 +1603,15 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd, ret = PTR_ERR(target_dmabuf); goto target_dmabuf_fail; } + + if (clientctx->relocs[i].target_offset > target_dmabuf->size) { + dev_err(&nvavp->nvhost_dev->dev, + "invalid target offset in reloc %d\n", + clientctx->relocs[i].target_offset); + ret = -EINVAL; + goto target_attach_fail; + } + target_attach = dma_buf_attach(target_dmabuf, &nvavp->nvhost_dev->dev); if (IS_ERR(target_attach)) { |