video: tegra: nvmap: Fix two integer overflows.

nvmap_ioctl_pinop kmalloc's a temporary buffer, whose length is directly
given by ioctl parameter from usermode. The total size of the buffer
is not checked for overflow, which will cause a kernel panic with some
inputs.

Also, a sizeof() is applied to wrong type when calculating the amount
of bytes to copy from userspace.

nvmap_map_into_caller_ptr attempts to validate that the memory range
to be mapped is correct, but integer overflow can cause the check to
fail. This will lead to mapping wrong pages from the allocated
handle later on, when the page fault handler gets called.

Bug 1025502

Change-Id: I71a09c40c209dba9c5b37c3912e92a81e6f87e80
Signed-off-by: Tuomas Tynkkynen <ttynkkynen@nvidia.com>

0 files changed, 0 insertions, 0 deletions