From 6458d55f01d9256959b13ea5791067407b82ed20 Mon Sep 17 00:00:00 2001 From: Somasundaram S Date: Thu, 10 Mar 2016 17:33:11 +0530 Subject: media: tegra: nvavp: Fix heap overflow Increase NVAVP_MAX_RELOCATION_COUNT to max. possible value and add check to return error if num_relocs in nvavp_pushbuffer_submit_ioctl exceeds NVAVP_MAX_RELOCATION_COUNT Bug 1739930 Change-Id: Ief36cedd692aa53135fc6a0039b19f18609259dd Signed-off-by: Somasundaram S Reviewed-on: http://git-master/r/1030885 Tested-by: Somu Sundaram Reviewed-by: Automatic_Commit_Validation_User Reviewed-by: Bharat Nihalani --- drivers/media/platform/tegra/nvavp/nvavp_dev.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'drivers/media') diff --git a/drivers/media/platform/tegra/nvavp/nvavp_dev.c b/drivers/media/platform/tegra/nvavp/nvavp_dev.c index 2411626326ec..089e14a5ff96 100644 --- a/drivers/media/platform/tegra/nvavp/nvavp_dev.c +++ b/drivers/media/platform/tegra/nvavp/nvavp_dev.c @@ -1,7 +1,7 @@ /* * drivers/media/video/tegra/nvavp/nvavp_dev.c * - * Copyright (c) 2011-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2016, NVIDIA CORPORATION. All rights reserved. * * This file is licensed under the terms of the GNU General Public License * version 2. This program is licensed "as is" without any warranty of any @@ -1525,6 +1525,12 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd, if (!hdr.cmdbuf.mem) return 0; + if (hdr.num_relocs > NVAVP_MAX_RELOCATION_COUNT) { + dev_err(&nvavp->nvhost_dev->dev, + "invalid num_relocs %d\n", hdr.num_relocs); + return -EINVAL; + } + if (copy_from_user(clientctx->relocs, (void __user *)hdr.relocs, sizeof(struct nvavp_reloc) * hdr.num_relocs)) { return -EFAULT; -- cgit v1.2.3