diff options
| author | Somu Sundaram <somasundaram@nvidia.com> | 2016-03-18 12:52:59 +0530 |
|---|---|---|
| committer | Matthew Pedro <mapedro@nvidia.com> | 2016-04-05 13:57:03 -0700 |
| commit | 69291e6a08ddef8fc504d57f5e995fc336ca14c2 (patch) | |
| tree | b515087f19a9d0cc576e4ef85e271b0e6993797e | |
| parent | c87e60a0b17e565fee2f065a651cab849ae8335b (diff) | |
media: tegra: nvavp: Fix reloc offset check
- Check whether command buffer data offset is 32-bit
aligned
- Check whether relocation offset is 32-bit aligned
and calculated offset is within command buffer size
- Check whether target offset is 32-bit aligned
and derived address is within target buffer size
Bug 1741516
Change-Id: Ie5370bc1538c8cf9a702904fb88eb850baeb063d
Signed-off-by: Somu Sundaram <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1113949
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Somu Sundaram <somasundarams@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
| -rw-r--r-- | drivers/media/platform/tegra/nvavp/nvavp_dev.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/drivers/media/platform/tegra/nvavp/nvavp_dev.c b/drivers/media/platform/tegra/nvavp/nvavp_dev.c index f24b690131fa..4ca6d3069d3f 100644 --- a/drivers/media/platform/tegra/nvavp/nvavp_dev.c +++ b/drivers/media/platform/tegra/nvavp/nvavp_dev.c @@ -1543,7 +1543,8 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd, return PTR_ERR(cmdbuf_dmabuf); } - if (hdr.cmdbuf.offset > cmdbuf_dmabuf->size) { + if ((hdr.cmdbuf.offset & 3) + || (hdr.cmdbuf.offset >= cmdbuf_dmabuf->size)) { dev_err(&nvavp->nvhost_dev->dev, "invalid cmdbuf offset %d\n", hdr.cmdbuf.offset); ret = -EINVAL; @@ -1587,7 +1588,11 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd, goto err_reloc_info; } - if (clientctx->relocs[i].cmdbuf_offset > cmdbuf_dmabuf->size) { + if ((clientctx->relocs[i].cmdbuf_offset & 3) + || (clientctx->relocs[i].cmdbuf_offset >= + cmdbuf_dmabuf->size) + || (clientctx->relocs[i].cmdbuf_offset >= + (cmdbuf_dmabuf->size - hdr.cmdbuf.offset))) { dev_err(&nvavp->nvhost_dev->dev, "invalid reloc offset in cmdbuf %d\n", clientctx->relocs[i].cmdbuf_offset); @@ -1604,7 +1609,9 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd, goto target_dmabuf_fail; } - if (clientctx->relocs[i].target_offset > target_dmabuf->size) { + if ((clientctx->relocs[i].target_offset & 3) + || (clientctx->relocs[i].target_offset >= + target_dmabuf->size)) { dev_err(&nvavp->nvhost_dev->dev, "invalid target offset in reloc %d\n", clientctx->relocs[i].target_offset); |